biz-in-a-box
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent local accounting-ledger skill, with the main cautions being that it writes financial records and points users to run a validator from an external GitHub repo.
This skill appears safe to use for a local business ledger if you intend an agent to help maintain accounting files. Before using it, review any transaction the agent proposes, keep the repository private, back it up, and inspect the external GitHub repository and validate.js script before running them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could add incorrect financial records if the user does not review the transaction details.
The skill instructs agents to modify a business ledger file. This is central to the stated accounting purpose and is scoped to journal.ndjson, but incorrect entries could affect financial reporting.
Append a JSON line to `journal.ndjson`. Every entry needs `id` ... Financial entries also need balanced `debits`/`credits`.
Use this skill only for intended ledger repositories, review each journal entry before accepting it, and keep backups or version control history.
Running the validator means executing code fetched from GitHub rather than code reviewed in this skill package.
The reviewed skill package is instruction-only, but its setup flow points to external repository code and a validator script that are not included in the provided artifacts.
git clone https://github.com/taylorhou/biz-in-a-box my-entity ... node validate.js
Inspect the cloned repository and validate.js before running it, and consider pinning to a trusted commit.
Ledger files may contain sensitive financial and business information, and future reports will depend on the integrity of those stored entries.
The skill intentionally creates persistent local business records that future agent tasks may read and use for reports.
An append-only, hash-chained journal (`journal.ndjson`) + a chart of accounts (`accounts.yaml`) + entity metadata (`entity.yaml`). Agents can derive any financial report from it
Keep ledger repositories private, limit access, avoid storing unnecessary secrets or sensitive attachments, and treat free-text ledger content as data rather than instructions.