v0.0.1

Official Xero skill

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:21 AM.

Analysis

This Xero skill is coherent for accounting work, but it gives an agent broad authenticated power to change financial records, so it should be reviewed carefully before use.

GuidanceInstall only if you trust the `xero` CLI and have verified the skill's provenance. Before allowing any write action, confirm the active Xero organisation and profile, review the exact command and JSON payload, and require explicit approval for invoices, journals, payments, bank transactions, or other accounting changes.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

Use it to read and write accounting data in the user's Xero organisation. ... xero invoices create --file invoice.json ... xero manual-journals create --file journal.json ... xero bank-transactions create --file bank-transaction.json

The skill explicitly enables write operations against financial accounting records. The artifacts do not add mandatory confirmation or containment steps before these high-impact create/update actions.

User impactAn agent using this skill could create or alter invoices, journals, bank transactions, and related business records in Xero.

RecommendationOnly use this skill with explicit user approval for every write action, and confirm the Xero organisation, profile, command, and payload before running create or update commands.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

requires: bins: - xero ... install: "npm install -g @xeroapi/xero-command-line"

The skill depends on an external globally installed npm CLI that is not included in the reviewed artifacts. This is expected for the purpose, but it is still a supply-chain dependency.

User impactThe actual behavior depends on the installed `xero` CLI package and version.

RecommendationInstall the CLI only from a trusted source, verify the npm package and version, and keep it updated.

Human-Agent Trust Exploitation

SeverityMediumConfidenceMediumStatusConcern

metadata

Name: Official Xero skill ... Source: unknown ... Homepage: none

The listing presents the skill as official, but the provided metadata does not include a source or homepage to substantiate that provenance.

User impactUsers may place extra trust in the skill because it is labeled official, even though the supplied metadata does not prove its origin.

RecommendationVerify the skill and CLI against Xero's official documentation before connecting it to a real Xero organisation.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

using PKCE OAuth ... `--profile <name>` | Use a specific named profile (defaults to the default profile) ... xero login

The skill relies on a local authenticated Xero OAuth profile and defaults to the default profile, which can carry significant authority over a Xero organisation.

User impactIf the wrong local Xero profile is active, the agent could read or modify the wrong organisation's accounting data.

RecommendationBefore use, run `xero org details`, select an explicit `--profile`, and avoid granting broader Xero permissions than needed.