ClawHub

Xero Cli

v1.0.7

Interact with Xero accounting software - manage invoices, contacts, accounts, payments, and bank transactions

0· 263·0 current·0 all-time
by@teddyengel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and required environment variables. The skill only requests XERO_CLIENT_ID and XERO_CLIENT_SECRET, which are exactly what's needed to authenticate to the Xero API. The included commands operate on invoices, contacts, accounts, payments and bank transactions via the Xero SDK — consistent with the description.
Instruction Scope
The SKILL.md instructs the agent to run the repo's TypeScript CLI via 'npx -y bun ${SKILL_DIR}/scripts/cli.ts'. At runtime the code will: open a browser for OAuth, start a local Express server on port 5001 to receive the callback, call Xero's API endpoints, and read/write a local token file (data/tokens.json). These actions are coherent with performing OAuth and using the Xero API, but they do give the skill the ability to bind a local port, open the browser, and write files under the skill directory. The code also reads optional env vars (XERO_REDIRECT_URI, XERO_SCOPES) beyond the two declared required env vars.
Install Mechanism
There is no formal install spec in registry metadata, but SKILL.md uses 'npx -y bun' to execute the TypeScript scripts. That will fetch and execute a runtime package via npx (npm). This is a common pattern but means the agent will download and run a package at execution time rather than relying on preinstalled, audited binaries. The repository includes full source code, so code will run from the checked-in files.
Credentials
Only XERO_CLIENT_ID and XERO_CLIENT_SECRET are required and are appropriate for a Xero integration. The code also checks optional env vars (XERO_REDIRECT_URI, XERO_SCOPES) which are reasonable for customizing OAuth behavior. No unrelated secrets or platform credentials are requested.
Persistence & Privilege
The skill stores OAuth tokens to a local file (data/tokens.json) inside the skill directory and can refresh tokens. It also starts a temporary HTTP server on port 5001 during authentication. 'always' is false and the skill is user-invocable, so it will not be force-enabled globally. The file writes and port binding are expected for an OAuth client but are persistent effects you should be aware of.
Assessment
This skill appears to do what it says: it needs your Xero client ID/secret, will open a browser for OAuth, run a temporary local server on port 5001, and store tokens under the skill's data/tokens.json. Before installing or running: (1) confirm you trust the source (repo: https://github.com/TeddyEngel/XeroCli), (2) be aware that 'npx -y bun' will fetch/execute a runtime package at execution time — consider running in an isolated environment or container if you want extra safety, (3) understand the skill will write tokens to the skill directory (revoke the Xero app or clear tokens if you stop using it), and (4) if you need stricter control, inspect the included source files yourself (they are present) and/or change XERO_REDIRECT_URI to a value you control. If anything is unclear, run the OAuth step manually outside the agent or test in a throwaway workspace first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97799v6mrvsbths5wm5j6vgen82paa4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
EnvXERO_CLIENT_ID, XERO_CLIENT_SECRET
Primary envXERO_CLIENT_ID

Comments