Skillv1.0.0

ClawScan security

Heath Ledger · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 23, 2026, 5:30 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, scripts, and runtime instructions are consistent with an AI bookkeeping tool for Mercury + Stripe data; nothing obvious indicates hidden exfiltration or unrelated capabilities, but there are a few operational/privacy issues you should review before use.
Guidance: What to check before installing/using: - Inspect the small client wrappers (scripts/lib/mercury-client.js and scripts/lib/stripe-client.js) to confirm they call the official API endpoints you expect and do not send data elsewhere. - Understand where credentials are stored: tokens you pass (Mercury/Stripe) are saved plaintext in data/heath.db. If this DB is on a shared machine or backup, treat the tokens as sensitive and consider encrypting the DB or using filesystem protections. - Avoid running developer-only scripts (e.g., those with hardcoded /home/andrew/... paths) unless you review/adjust them; they reference local example directories and could attempt to read files from absolute paths. - If you plan to run categorize -> AI -> categorize_ai_results workflow, be aware AI-inferred rules are written into the DB (source='ai') and the project includes logic to promote rules; review how rules are promoted before using on multiple entities to avoid accidental global rule propagation. - Run the skill in an isolated environment (local VM/container) if you want to limit blast radius and inspect network traffic during initial runs. - If you need stronger protection for API tokens, add encryption at rest or use a secrets manager instead of storing tokens plaintext in the SQLite file. Overall: the package appears coherent and consistent with its stated bookkeeping purpose, but take the above operational/privacy steps before running it with real production credentials.

Review Dimensions

Purpose & Capability: okName/description (bookkeeping for Mercury accounts, categorization, P&L/BS/Cash Flow generation) match the provided scripts and libraries: connect_mercury, pull_transactions, categorize (rules + AI), optional connect_stripe, generate_books. Requests for Mercury/Stripe tokens as runtime arguments are proportionate to the stated purpose.
Instruction Scope: noteSKILL.md directs the operator to run local node/bash scripts which read/write a local SQLite DB (data/heath.db), call Mercury/Stripe APIs, produce AI categorization prompts (JSON to stdout) and accept AI results back. This is within bookkeeping scope, but the skill emits AI prompts that rely on the host agent to call an LLM (expected for 'AI categorization') and will persist AI-created rules into the DB. Several scripts reference or default to developer paths (e.g., /home/andrew/clawd/projects/heath-ledger/bookkeeper-examples) — harmless unless you run those scripts and expect them to point at your data. No instructions to send data to unknown external endpoints were found in the visible files.
Install Mechanism: okThere is no remote install or download; code is bundled with the skill. No brew/npm/go downloads or external archives are fetched during install. This limits supply-chain risk. (That said, review package.json/package-lock if you plan to run npm install to ensure dependencies are acceptable.)
Credentials: noteThe skill declares no required env vars but expects the user to supply Mercury/Stripe API tokens as command-line arguments; those tokens are stored in the local SQLite DB in plaintext (comment in connect_mercury.mjs: 'store token as-is locally — no encryption needed for local SQLite'). Storing access tokens locally is functionally required but has privacy implications; the skill also inserts AI-generated categorization rules into the DB (source='ai'), which may cause cross-entity propagation if rules are promoted to global later. No unrelated credentials are requested.
Persistence & Privilege: okalways:false (not force-included). The skill stores data in its own SQLite database and writes generated Excel files to a local data/ directory — expected for bookkeeping. It does not request or modify other skills' configurations. Autonomous invocation is allowed by default (not a red flag alone) but combine with caution if you permit full autonomy and provide credentials.