Scan Report
15 /100
budget-builder
Dual-mode budget pipeline for FP&A-quality budget management with QBO integration
Finance-focused budget builder skill with only documentation; no executable code present to analyze for security issues.
Safe to install
Request actual implementation code (budget-builder.py) before deployment. The SKILL.md references scripts/pipelines/budget-builder.py which does not exist in the package.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Missing implementation reference Doc Mismatch | SKILL.md:31 |
| Low | Undeclared resource capabilities Doc Mismatch | SKILL.md:1 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | READ/WRITE | ✓ Aligned | SKILL.md:Cache locations and Excel outputs imply file operations but not explici… |
| Network | NONE | READ | ✓ Aligned | SKILL.md:QBO API calls implied but not declared as network:READ |
| Shell | NONE | NONE | — | No shell commands in documentation |
| Environment | NONE | NONE | — | No environment variable access documented |
| Skill Invoke | NONE | NONE | — | N/A |
| Clipboard | NONE | NONE | — | N/A |
| Browser | NONE | NONE | — | N/A |
| Database | NONE | NONE | — | N/A |
File Tree
1 files · 9.9 KB · 301 lines Markdown 1f · 301L
└─
SKILL.md
Markdown
Dependencies 2 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
openpyxl | * | pip | No | Version not pinned but library is standard and well-maintained |
Node.js QBO client | N/A | external | No | Referenced but not included; actual client library unknown |
Security Positives
✓ Documentation describes standard FP&A workflows with no suspicious command patterns
✓ No references to credential harvesting, base64 encoding, or obfuscation
✓ No mention of remote script execution (curl|bash, wget|sh)
✓ Dependencies are reasonable for a finance tool (openpyxl for Excel)
✓ Error handling appears legitimate (FileNotFoundError, RuntimeError for connection issues)