Scan Report
0 /100
expense-reimbursement
Travel Expense Reimbursement Assistant - Automates receipt scanning, classification, form filling, and print package generation for Chinese corporate expense reports
This is a legitimate travel expense reimbursement assistant with comprehensive documentation, user confirmation checkpoints, and well-defined file/document processing capabilities. No malicious behavior detected.
Safe to install
This skill is safe to use. No action required.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | SKILL.md lines 1-50: Full workflow documents file read/write for PDFs, DOCX, ima… |
| Network | READ | READ | ✓ Aligned | SKILL.md: XSD schema references for XML parsing; scripts/unzip_and_parse.py line… |
| Shell | READ | READ | ✓ Aligned | SKILL.md: Documents tesseract (Linux/Windows) and qlmanage (macOS) for OCR |
| Environment | READ | READ | ✓ Aligned | scripts/unzip_and_parse.py: REIMBURSEMENT_DIR env var documented and declared in… |
| Skill Invoke | NONE | NONE | — | No skill invocation detected |
| Clipboard | NONE | NONE | — | Not used |
| Browser | NONE | NONE | — | Not used |
| Database | NONE | NONE | — | Not used |
2 findings
Medium External URL 外部 URL
http://invoice.xsd scripts/unzip_and_parse.py:84 Medium External URL 外部 URL
http://www.typing/xsd scripts/unzip_and_parse.py:84 File Tree
3 files · 35.9 KB · 1004 lines Markdown 2f · 799L
Python 1f · 205L
├─
▾
references
│ └─
workflow.md
Markdown
├─
▾
scripts
│ └─
unzip_and_parse.py
Python
└─
SKILL.md
Markdown
Dependencies 4 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
python-docx | latest | pip | No | Used for Word form reading and filling - legitimate document processing |
pypdf | latest | pip | No | PDF merging - legitimate document processing |
reportlab | latest | pip | No | Image-to-PDF conversion with A4 scaling - legitimate document processing |
Pillow | latest | pip | No | Image dimension reading - legitimate document processing |
Security Positives
✓ Comprehensive SKILL.md with 704 lines of clear documentation
✓ User confirmation checkpoints at Steps 5.5, 7.1, 7.3, 7.4, and 8 - prevents autonomous operation
✓ Original file protection: 00_原始资料/ always retained, deletions require explicit authorization
✓ Template requirement enforced: skill pauses if template missing, cannot skip
✓ Project code confirmation required before form filling
✓ All dependencies documented: python-docx, pypdf, reportlab, Pillow, tesseract/qlmanage
✓ Clean Python implementation using only standard libraries (zipfile, os, xml.etree.ElementTree)
✓ No credential harvesting or sensitive path access
✓ No external network requests or data exfiltration
✓ Legitimate document processing: PDF merge, image-to-PDF conversion, DOCX form filling
✓ OCR tools (tesseract/qlmanage) properly documented as dependencies
✓ Supports cross-platform (macOS/Linux/Windows) with proper platform detection
✓ Configurable paths through environment variables (documented)
✓ Automatic skipping of irrelevant files (.DS_Store, 申请截图.png)
✓ Recursive ZIP scanning properly declared for receipt processing