Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Invoice Engine
v1.0.0Generate, manage, and track professional invoices with client onboarding, customizable payment terms, recurring billing, automated overdue reminders, and fin...
⭐ 0· 719·0 current·0 all-time
by@1kalin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (invoicing, client onboarding, recurring billing, reminders) matches the SKILL.md content. The skill is zero-dependency and uses local YAML files for clients and invoices, which is coherent with an agent-based invoicing tool.
Instruction Scope
All instructions stay within invoicing: building invoices, onboarding clients, managing a ledger, and scheduling reminders. Two points to note: (1) it instructs the agent to maintain client PII (names, emails, tax IDs, addresses) in workspace YAML files — this is expected for invoicing but has privacy implications, and (2) 'overdue automation' and 'email reminders' are referenced but the skill does not define how to send emails or which external mail/scheduling service to use, leaving implementation up to the agent (not inherently malicious, but ambiguous).
Install Mechanism
There is no install spec and no code files — the skill is instruction-only, so nothing is downloaded or written by an installer. This is the lowest-risk install profile.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. That is proportional to an instruction-only invoicing assistant. It does reference external payment methods (Stripe, PayPal, bank transfer, Bitcoin) in templates, but it does not request those service credentials; if you later supply payment-provider credentials to integrate them, that would be an external step not declared by the skill.
Persistence & Privilege
The skill expects to write and maintain YAML files (clients.yaml, invoices.yaml) in the agent workspace — persistent storage of PII and financial data. It does not request system-wide privileges or 'always:true' presence; agent autonomous invocation is the default and not a special privilege here.
Assessment
This is an instruction-only invoicing skill that appears to be what it says: it will create and manage local YAML files containing client and invoice data (including PII and tax IDs). Before installing or using it: (1) be aware your workspace will store sensitive client data — ensure those files are saved only where you expect them and consider encrypting/backing them up appropriately; (2) the skill mentions sending reminders and payment links but does not include configured email or payment integrations — you'll need to provide or connect those services separately, and only supply API keys or credentials if you trust the integration and restrict their scope; (3) review any external links in the README before clicking or entering payment information (marketing/context-pack links are present); and (4) if you need automated outbound actions (email, webhooks, payment charges), explicitly confirm what connector the agent will use and what credentials it will receive. Overall the skill is internally consistent, but treat stored data and any future credential provisioning with normal care.Like a lobster shell, security has layers — review code before you run it.
accountsvk971q42dhyb1nhhjm351wg1k4x8156xcbillingvk971q42dhyb1nhhjm351wg1k4x8156xcfinancevk971q42dhyb1nhhjm351wg1k4x8156xcinvoicevk971q42dhyb1nhhjm351wg1k4x8156xclatestvk971q42dhyb1nhhjm351wg1k4x8156xc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.