document-ingestion 安全扫描报告 — 低风险 | ClawSafe

10 /100

document-ingestion

Process raw accounting source documents (PDFs, CSVs, bank statements, invoices, receipts) into standardized transaction records for QBO import.

A well-documented accounting document ingestion skill with no implementation scripts present. All declared functionality (PDF/CSV processing, QBO export, Excel output) is legitimate and standard for financial workflows.

技能名称document-ingestion

分析耗时34.5s

引擎pi

✓

可以安装

Package is safe to use. However, no implementation scripts exist — only SKILL.md documentation is included. Ensure the implementation script (scripts/pipelines/document-ingestion.py) is delivered alongside this skill before deployment.

安全发现 1 项

严重性	安全发现	位置
低危	No implementation script included in package 文档欺骗 SKILL.md references scripts/pipelines/document-ingestion.py as the implementation, but no script files are included in the package. This prevents verification of doc-to-code alignment. `scripts/pipelines/document-ingestion.py` → Ensure the implementation script is packaged alongside SKILL.md before deployment so that a full code review can be performed.	`SKILL.md:65`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md: Reads input documents (PDF, CSV, images) from user-provided paths
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md: Writes Excel workbook + QBO CSV to --out directory
网络访问	`READ`	`READ`	✓ 一致	SKILL.md: Pulls Chart of Accounts from QBO API only when --no-qbo-coa is not set
命令执行	`NONE`	`NONE`	—	No shell execution declared or implied in SKILL.md
环境变量	`NONE`	`NONE`	—	No environment variable access declared; QBO auth handled via token config
浏览器	`NONE`	`NONE`	—	Not referenced in SKILL.md
数据库	`NONE`	`NONE`	—	No database access declared or implied
剪贴板	`NONE`	`NONE`	—	Not referenced in SKILL.md

目录结构

1 文件 · 8.8 KB · 257 行

Markdown 1f · 257L

└─ 📝 SKILL.md Markdown 257L · 8.8 KB

安全亮点

✓ Comprehensive documentation with clear scope boundaries (explicitly excludes reconciliation, P&L, AR collections)

✓ Financial calculations use Python Decimal with ROUND_HALF_UP to 2 decimal places — no floating-point arithmetic risks

✓ Duplicate detection logic is well-defined with explicit ±3 day window and matching criteria

✓ No credential harvesting or environment variable exfiltration referenced

✓ No obfuscation, base64, or anti-analysis patterns present in documentation

✓ QBO API integration is scoped to read-only Chart of Accounts pull — no write-back to QBO without user action

✓ CDC cache stores only delta metrics (counts and statistics) — no raw financial data exfiltration

✓ Standard, well-known Python packages only (openpyxl, pdfminer.six, ofxparse)

✓ MIT license clearly declared