Skillv1.0.0

ClawScan security

奶茶店老板专属的收支流水分析工具，只需要上传流水记录（文字/图片/Excel），自动帮你算出现金利润、成本结构、经营分析报告，零学习成本。 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 1:31 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions are consistent with its stated purpose: a local text-based parser that produces a milk-tea shop income/expense report and it does not request credentials, make network calls, or install extra software.
Guidance: This skill appears to be a straightforward local text parser and reporting tool. Before using it: 1) Do not paste sensitive production financial data until you trust the hosting agent/platform — the skill itself does not exfiltrate data, but the agent environment or logs may retain inputs. 2) If you have images or Excel files, convert them to plain text (OCR/export) before calling the skill, since no OCR/Excel parsing is included. 3) Test with sample data (including edge cases like zero total income or zero total expense) because the report code performs divisions that may cause runtime errors when totals are zero. 4) Verify results manually for a while — the classification rules are simple keyword heuristics and may miscategorize some entries. If you need automatic OCR/Excel ingestion or more robust classification, request or inspect an updated version that explicitly includes those features.

Review Dimensions

Purpose & Capability: noteThe name/description match the code: the Python implementation parses text lines, classifies income/expenses, and generates a report. One minor mismatch: the README/SKILL.md claim "multi-format" support (images/Excel), but the shipped runtime only accepts plain text in the flow_content parameter — there is no built-in OCR or Excel file parsing. That means the user (or calling system) must supply extracted text rather than raw images/Excel files.
Instruction Scope: okSKILL.md instructs the agent to accept flow_content (text) and an optional period; the code only operates on provided text and does not read other files, environment variables, or external endpoints. No instructions attempt to collect unrelated system data. Note: the skill expects the caller to provide OCR/Excel-extracted text if using those formats.
Install Mechanism: okNo install spec is provided and no external downloads or package installs are required. The skill is a small local Python module with no external dependencies declared.
Credentials: okThe skill declares and requires no environment variables, credentials, or config paths — appropriate for a purely local parser that doesn't call external services.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system settings. It runs on demand and has no elevated persistence requirements.