Vendor Compliance 1099

This SKILL.md looks like a recipe for a local Python pipeline, but the package is incomplete and raises several red flags you should resolve before using it: - Missing code and auth: The instructions reference scripts/pipelines/vendor-compliance-1099.py and QBO pulls, but no code or authentication flow is provided. Ask the publisher for the actual code and clear QBO auth instructions (OAuth client, environment variables, or secure token storage). Do not supply QBO credentials until you confirm how they will be used and stored. - Sensitive persistent data: The skill stores W-9 and TIN data in .cache/*.json. Confirm how those files are protected (encryption at rest, file ACLs, retention policy). If you run this, prefer a sandbox environment and ensure backups/encryption are in place. - Incomplete security guidance: There is no mention of where API tokens are read from, whether logs contain PII, or whether the Excel output contains masked TINs. Get explicit handling rules for PII and audit logging from the author. - Don’t run arbitrary commands: Because the code is not bundled, the SKILL.md could be a template for a local script expected to exist in your environment. Only run it after you (or a trusted developer) have inspected the actual script files and confirmed they do what is described. - If you still want to try it: run in an isolated sandbox with test data (--sandbox or --skip-gl), inspect all generated .cache files and the produced Excel workbook, and verify no credentials are exfiltrated. Prefer least-privilege QBO access (read-only account scoped to the needed company) and rotate any tokens after testing. If the publisher provides the missing code and clear authentication + PII-handling controls, re-evaluate; as-is the skill is internally inconsistent and potentially risky.