by 安全扫描
OpenClaw
可疑
medium confidenceThe skill largely does what it says (bank statement reconciliation), but there are multiple implementation inconsistencies and an external token-validation network call that are not clearly disclosed — review before providing real credentials or production data.
评估建议
This skill appears to implement bank statement reconciliation, but exercise caution before using it with real data:
- Dependency gaps: The code expects Python packages (requests, openpyxl) and an external CLI ('miaoda-studio-cli') for PDF parsing. These are not listed in the skill metadata — the agent may fail or behave unexpectedly if they are missing.
- Remote validation: If you provide a tier token (e.g., BANK-PRO-...), the skill will POST that token to https://geo-api.yk-global.com/validat...详细分析 ▾
ℹ 用途与能力
Name, description, and code align: parsers, matcher, exporter, and Feishu card builder are consistent with a reconciliation tool. However, the bundle includes a remote token verification endpoint (geo-api.yk-global.com) and a large VALID_PREFIXES list that are not clearly justified by the declared requirements (the skill declares no required credentials). Token handling is optional (via TierConfig) but present in multiple places (README, SKILL.md examples).
ℹ 指令范围
SKILL.md instructs the agent to parse statement/order files and call reconcile_bank_statements and optionally push Feishu cards. It does not instruct reading unrelated system files or env vars. But runtime code will attempt PDF parsing by invoking an external CLI (miaoda-studio-cli) and may perform remote token validation if a token is supplied — these behaviors are not fully spelled out in the runtime instructions.
⚠ 安装机制
No install spec (instruction-only) but the code depends on third-party packages and an external CLI: openpyxl and requests are imported (not declared), and parser._parse_pdf calls subprocess to run 'miaoda-studio-cli doc-parse' — a binary that is neither required nor documented in the skill metadata. That mismatch can cause runtime failures and suggests missing dependency documentation.
⚠ 凭证需求
The skill declares no required env vars or primary credential, yet supports a user token (TierConfig.token) and will POST that token to https://geo-api.yk-global.com/validate for validation. Sending tokens to an external endpoint can leak sensitive credentials; the code also returns True on network errors (lax fallback). There are no other declared credentials, but the token behavior and verification host are not clearly disclosed in SKILL.md.
✓ 持久化与权限
The skill does not request always: true, does not modify other skills, and has no install script that writes to system-wide configs. It runs entirely as a library within the skill bundle.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/21
- Initial release of Bank Statement Reconciler Pro. - Upload and reconcile bank statements (CSV/Excel/PDF) with orders/invoices using AI auto-matching. - Supports major Chinese banks (BOC, ICBC, CCB, ABC), Alipay/WeChat Pay, PayPal, Stripe, Amazon, Shopify, Temu. - Matching modes: exact, fuzzy (with configurable date/amount tolerance), and semantic (AI-based name matching, Professional tier+). - Exports reconciliation results with matched, difference, unclaimed, and unmatched transactions; Excel and Feishu card output available for higher tiers. - Tiered features and usage limits; robust error handling for unsupported formats, missing columns, and more.
● 无害
安装命令
点击复制官方npx clawhub@latest install bank-statement-reconciler-pro
镜像加速npx clawhub@latest install bank-statement-reconciler-pro --registry https://cn.longxiaskill.com镜像同步中