Official Xero skill
v0.0.1Interact with the Xero accounting API using the `xero` CLI tool. Manage contacts, invoices, quotes, credit notes, payments, bank transactions, items, manual...
⭐ 0· 83·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's name and description match the runtime instructions: it expects the xero CLI and describes commands for contacts, invoices, quotes, journals, bank transactions, etc. Requiring the xero binary (or installing @xeroapi/xero-command-line) is proportionate for a CLI-based Xero integration. One minor provenance mismatch: the registry lists no homepage/source while the SKILL.md references an npm package; the absence of a documented source/homepage means the claim of being 'Official' cannot be independently verified from the manifest.
Instruction Scope
SKILL.md instructs the agent to use the xero CLI and to tell users to run 'xero login' for browser-based OAuth; it does not direct the agent to read unrelated system files, harvest credentials, or send data to unexpected endpoints. It accepts JSON file inputs for create/update operations (user must supply files), which is normal for a CLI. The instructions explicitly note the OAuth flow cannot be completed by the agent itself.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md metadata suggests 'npm install -g @xeroapi/xero-command-line'. Installing via the official npm package would be a typical and low-to-moderate-risk approach; however the registry entry lacks a homepage/source URL to verify that package provenance. Because this is instruction-only and contains no code, nothing will be written to disk by the skill itself.
Credentials
The skill declares no required environment variables or credentials. The SKILL.md merely notes that the CLI recognizes XERO_PROFILE and XERO_CLIENT_ID env vars (informational). This is proportionate: OAuth login is browser-based and user-driven, and no unrelated secrets or multiple external credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. Autonomous invocation is allowed (platform default), but there is no evidence the skill attempts to modify other skills or system-wide configurations. This level of presence is appropriate for an instruction-only CLI wrapper.
Assessment
This skill is an instruction-only helper for the Xero CLI and appears coherent with that purpose. Before installing/using it: 1) Verify the xero CLI package (@xeroapi/xero-command-line) on npm or from Xero's official docs and confirm you trust the package author, since the registry metadata lacks a homepage/source; 2) Install the CLI locally (npm -g) or ensure the 'xero' binary is on PATH; 3) Remember that you must run 'xero login' yourself in a browser to authorize access — the agent cannot complete OAuth for you; 4) Review the OAuth scopes the CLI requests during login and only grant the minimum needed; 5) If you are concerned about autonomous agent actions, disable or limit agent invocation for this skill or require explicit user confirmation before running commands that modify data (create/update/delete).Like a lobster shell, security has layers — review code before you run it.
latestvk971kp9c3a41n13yybtsbc3h6983m7bw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsxero