Back to skill
Skillv1.0.0
ClawScan security
Receipt Assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 11:23 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required packages align with its stated purpose (local receipt scanning, OCR via the platform image tool, filename generation, and Excel report output); it does not request unrelated credentials or network endpoints.
- Guidance
- This skill appears coherent and limited to local receipt processing, but consider these precautions before installing: 1) The SKILL.md asks you to run `pip install` for standard libraries (openpyxl, pdfplumber, Pillow) — install in a virtualenv to avoid polluting your system Python. 2) The skill reads/writes files: it will create/modify config.json and copy/rename files into its output directory (default under the project). Point it at a test folder first and back up originals. 3) OCR is done via the platform 'image' tool per the instructions — be aware images/receipt data will be processed by that tool (check privacy/policy for the platform). 4) Inspect config.json and the included code if you want to confirm there are no additional behaviors in your deployment. 5) No network endpoints, credentials, or unexpected installers are present, so running in a restricted environment or VM is a reasonable precaution but not strictly required.
Review Dimensions
- Purpose & Capability
- okName/description (receipt processing: detect, extract, rename, report) matches the included Python modules (scanner, namer, reporter, utils). Declared requirements are minimal (no credentials, no external services). The SKILL.md instructs using the platform 'image' tool for visual recognition — consistent with an OCR workflow.
- Instruction Scope
- okSKILL.md and code limit actions to scanning a user-provided directory, calling the platform image tool for OCR, extracting fields, renaming/ copying files, and writing an Excel report. There are no instructions to read unrelated system files or to transmit data to external endpoints outside the expected image tool and local filesystem.
- Install Mechanism
- noteRegistry has no automated install spec (instruction-only), but the package includes requirements.txt and SKILL.md suggests running `pip install openpyxl pdfplumber Pillow`. These are standard PyPI packages appropriate for PDF/image parsing and Excel generation. No downloads from untrusted URLs or archive extraction are present.
- Credentials
- okThe skill does not require credentials. It will optionally read COMPANY_NAME, PERSON_NAME, and OUTPUT_DIR environment variables (and a local config.json) — all directly relevant to naming/output behavior. No sensitive tokens or unrelated env vars are requested.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify other skills or global agent settings. It writes local configuration (config.json) and output files under the project/output directory by default — expected for a file-processing tool.