by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's code generally matches a bank-reconciliation tool, but there are multiple inconsistencies and implicit dependencies (PDF CLI, Feishu push call/integration and some test/instruction mismatches) that deserve review before trusting it with sensitive bank data.
评估建议
Do not upload real bank statements until you verify a few things: 1) Confirm where and how Feishu messages are actually sent — inspect tier_config.py and search for HTTP clients (requests/urllib) or any API keys; the repo only builds card payloads but documentation implies sending. 2) The PDF parser calls an external CLI ('miaoda-studio-cli doc-parse …') via subprocess: ensure you trust that binary, or replace PDF parsing with a known library, because the subprocess runs local code on your files...详细分析 ▾
ℹ 用途与能力
Name/description align with the code: parser, matcher, exporter and Feishu card builder implement reconciliation and reporting. However SKILL.md and README reference a push_reconciliation_to_feishu(...) runtime call and 'push to Feishu' behavior; the repository provides builders for Feishu cards but no explicit network/send function or declared Feishu credentials. Tier/token plumbing is referenced (token prefixes, TierConfig) but no declared environment variables — plausible design but inconsistent between docs and delivered code.
⚠ 指令范围
SKILL.md instructs calling reconcile_bank_statements(...) and 'push to Feishu', but the codebase only contains card-building functions (build_feishu_card/build_feishu_simple_message) and no defined push/send routine. The parser's PDF path calls an external CLI (subprocess.run of 'miaoda-studio-cli doc-parse ...') which is an implicit runtime dependency not documented in SKILL.md; that subprocess invocation will run a local binary on supplied files. Tests and some doc examples appear mismatched with implementations (e.g., test expectations vs parser return types), indicating the runtime behaviour might differ from the documentation.
⚠ 安装机制
There is no install spec (instruction-only in registry), which is low risk, but the code relies on optional Python packages (openpyxl import fallback) and an external CLI 'miaoda-studio-cli' invoked via subprocess for PDF parsing. That external binary is neither declared as required nor installed by the skill, creating an implicit installation/runtime dependency and supply-chain risk if a user installs a similarly-named binary or if a malicious binary exists on PATH.
ℹ 凭证需求
The skill requests no environment variables or credentials in the registry metadata. The code supports TierConfig and token-based tiers (token prefixes noted in docs), but tokens appear to be passed as parameters rather than read from env vars — this is coherent but the docs reference token validation and 'yk global backend' (TBD), so clarify where tokens are expected to come from. There are no explicit calls to external endpoints in the provided code (builders only), but the SKILL.md implies pushing to Feishu (which would require credentials) while none are declared.
✓ 持久化与权限
Skill does not request always:true, has no install scripts or modifications to other skills, and does not declare persistent system-level privileges. Exports files to local output_dir (default /tmp). Autonomous invocation is allowed (platform default) but not combined with other high-privilege flags.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/19
Initial release of Bank Statement Reconciler. - Enables automatic reconciliation of bank statements and order/invoice files (supports CSV/Excel/PDF). - Supports major Chinese banks (BOC, ICBC, CCB, ABC), Alipay, WeChat Pay, PayPal, Stripe, Amazon, Shopify, and Temu. - Offers multiple matching modes: exact, fuzzy, and semantic (AI-powered name matching). - Handles discrepancies with status tracking (processed, pending collection, bad debt) and exports detailed Excel reports. - Tiered features include limits, advanced matching, multi-platform support, and Feishu card output for Professional/Enterprise.
● 无害
安装命令
点击复制官方npx clawhub@latest install bank-statement-reconciler
镜像加速npx clawhub@latest install bank-statement-reconciler --registry https://cn.longxiaskill.com