ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tax Package Preparation

v1.0.2

Year-end tax package preparation pipeline for QBO-connected clients. Generates a 9-tab Excel workbook: Tax Summary, Income, Expenses, Depreciation, 1099s, St...

0· 124·1 current·1 all-time
by@samledger67-dotcom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to pull full-year data from QuickBooks Online (QBO) and run python scripts (scripts/pipelines/tax-package-prep.py), but the registry metadata lists no primary credential and no required environment variables or code files. A QBO-connected pipeline legitimately needs QBO credentials and the referenced Python scripts; their absence from the declared requirements or the package is an incoherence.
Instruction Scope
SKILL.md instructs the agent/operator to read client SOPs (clients/{slug}/sop.md), scan GL memos/vendor names, and produce sensitive tax workpapers (including wallet addresses and FBAR indicators). Those actions are within the stated tax-prep purpose, but the instructions assume local data, an existing QBO auth token, and python scripts that are not included—this implicit dependency should be explicit.
Install Mechanism
There is no install spec (instruction-only), which is low-risk. The SKILL.md only suggests 'pip install openpyxl' under Requirements; that is a lightweight dependency and reasonable for producing Excel output.
!
Credentials
The runtime notes explicitly state 'QBO auth token must already be configured' and the skill will read client SOP files and financial GL data (sensitive). However, the skill metadata declares no required environment variables or primary credential. Requesting access to QBO data (and potentially other secrets) without declaring them is disproportionate and opaque.
Persistence & Privilege
The skill does not request always:true, does not install or modify system-wide settings, and is user-invocable only. There is no indication it requests persistent elevated privileges.
What to consider before installing
This skill’s instructions assume access to QuickBooks Online credentials and local Python scripts, but the package does not declare or include them. Before installing or running anything: (1) confirm the publisher/source and obtain the actual script files referenced (scripts/pipelines/tax-package-prep.py); (2) verify where and how the required QBO auth token is stored and avoid providing broad or long-lived credentials—use least-privilege tokens or a sandbox QBO account for testing; (3) inspect the actual scripts to ensure they do only the described work (no exfiltration, no unexpected network calls or shell executions); (4) ensure client SOP and GL data paths (clients/{slug}/sop.md and accounting exports) are the intended inputs and that sensitive data is handled appropriately; (5) if you cannot obtain or inspect the code and an explicit declaration of required credentials, treat this package with caution and do not run it against production data.

Like a lobster shell, security has layers — review code before you run it.

latestvk975qf7dqcxz0fg71kn7bsam5183ctc5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments