Greek Compliance Aade
ReviewAudited by ClawScan on May 10, 2026.
Overview
The visible artifacts describe a coherent Greek tax-compliance assistant, but it handles official tax credentials, submissions/payments, and stored accounting data that users should control carefully.
This skill appears benign and purpose-aligned for Greek compliance work. Use it offline without AADE credentials when preparing or calculating filings; only set AADE_USERNAME and AADE_PASSWORD when you are ready to submit. Manually review every generated return, invoice submission, signature, and payment instruction, and secure OPENCLAW_DATA_DIR because it may hold sensitive accounting and payroll records.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these credentials are misused or exposed, an agent or operator could access or submit official tax information for the user.
The skill asks for AADE/TAXIS credentials for official tax submissions. This is expected for the stated integration, but those credentials can grant sensitive government-account access.
# 2. AADE credentials (required only for submitting filings — preparation works offline) export AADE_USERNAME="your-aade-username" export AADE_PASSWORD="your-aade-password"
Provide AADE credentials only for explicit submission tasks, keep them out of logs and shared shells, prefer dedicated or least-privilege credentials where possible, and rotate them if exposed.
Incorrect or premature use could affect official tax records or financial payment workflows.
The documented workflows can submit invoices to myDATA and initiate or track payments. These are high-impact external actions, but they are aligned with the accounting purpose and the skill states that submissions require human approval.
Invoice Registration: Real-time myDATA platform integration for invoice submission ... SEPA Payment Processing: EU standard payment initiation and tracking
Require explicit human confirmation for every external filing, invoice submission, digital signature, and payment action; review generated XML and payment details before transmission.
Anyone with access to the data directory or backups could view or alter sensitive business, employee, or tax information, potentially affecting later compliance outputs.
The skill creates persistent local compliance folders that may hold VAT, EFKA, myDATA, income-tax, payroll, and audit records. These records may be reused as context for future filings.
mkdir -p $OPENCLAW_DATA_DIR/compliance/{vat,efka,mydata,e1,e3}Use a protected data directory, restrict filesystem permissions, encrypt or secure backups, and define retention and review practices for generated compliance files.
The agent may create or maintain deadline reminders or monitoring workflows beyond a single chat session if the user enables them.
The skill describes ongoing monitoring and optional calendar synchronization. This is coherent for compliance reminders, but it implies persistent or recurring activity if configured.
Real-time Compliance: Continuous monitoring of regulatory changes and deadlines ... optional_env: {"GOOGLE_CALENDAR_ID": "Google Calendar ID for compliance deadline sync (optional)"}Make monitoring and calendar sync explicitly opt-in, review created schedules or calendar entries, and keep automated reminders separate from any automatic submission behavior.
Users are relying on the visible prompt instructions and registry metadata rather than audited runnable code.
The supplied package has no executable code or install script to inspect, and the registry source is listed as unknown. This is not suspicious by itself, but it limits provenance assurance.
Source: unknown ... No install spec — this is an instruction-only skill. ... No code files present
Verify the homepage/repository before production use, compare the full SKILL.md against the installed artifact, and re-scan if future versions add code or install steps.