Ksef Accountant En
v2.2.6Polish National e-Invoice System (KSeF) accounting assistant (English). Use when working with KSeF 2.0 API, FA(3) invoices, Polish VAT compliance, e-invoice...
⭐ 1· 1.4k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (KSeF accounting assistant) matches the files: extensive FA(3) examples, API reference, workflows, ML design patterns and security guidance. The optional environment variables (KSEF_TOKEN, KSEF_ENCRYPTION_KEY, KSEF_BASE_URL) are directly relevant to interacting with the KSeF API and storing tokens, so they are proportionate to the skill's purpose.
Instruction Scope
The SKILL.md and reference files contain many illustrative code snippets that show how to call KSeF endpoints, validate XML, store/rotate tokens, query the VAT White List and implement ML patterns. Those examples are appropriate for the documented use, but they do describe accessing and storing credentials (via env vars, DB or Vault) — the skill itself does not execute code, so these remain recommendations. The author also explicitly warns not to paste secrets into the conversation and instructs verifying platform-level protections before supplying real tokens.
Install Mechanism
There is no install spec and no code files to execute; the skill is instruction-only (Markdown). That yields a low installation risk: nothing is downloaded or written by the skill itself.
Credentials
No environment variables are required by default; the frontmatter declares optional secrets that are appropriate for interacting with KSeF (API token, optional encryption key, base URL). This is proportional to the task — however, safety depends on the platform correctly marking/isolating these as secrets and respecting the 'disableModelInvocation' flag before you configure them.
Persistence & Privilege
The skill declares disable-model-invocation (in frontmatter and skill.json) so it intends to be non-autonomous; always:false and disable-model-invocation:true are consistent with low privilege. There is no request for permanent or cross-skill configuration changes in the files. The frontmatter/manifest warnings appropriately ask users to confirm platform enforcement.
Assessment
This skill is instruction-only and appears coherent with its KSeF accounting purpose, but follow these precautions before enabling it with real credentials: 1) After adding the skill, open the platform's registry/metadata UI and confirm disable-model-invocation (or equivalent) is set to true and that KSEF_TOKEN / KSEF_ENCRYPTION_KEY are shown as secret-scoped — if not, do NOT provide credentials. 2) Never paste tokens, certificates, or encryption keys into a chat; use the platform's secret storage/ephemeral env vars or a vault. 3) Prefer the demo base URL (https://ksef-demo.mf.gov.pl) for integration tests; do not use production until you verify platform controls and inspect audit/logging. 4) The skill contains illustrative code that, if implemented in your environment, will access external endpoints (KSeF, VAT White List, Vault) — ensure you review and secure any implementation you copy (least privilege, secret rotation, audit logs). 5) If the platform does not honor the declared disable-model-invocation or secret isolation, treat the skill as higher risk and either run it only manually with no credentials or contact the platform provider. If you want a deeper assurance, ask the skill author for a short checklist of the exact skill.json fields the platform should display and compare them to what you see in the registry.Like a lobster shell, security has layers — review code before you run it.
accountingvk97f60nvwzvmjkcwdg1n4es3c18152b0einvoicingvk97f60nvwzvmjkcwdg1n4es3c18152b0englishvk97cw143z899mwz0dhw2x7ks0s80vgj3invoicingvk97f60nvwzvmjkcwdg1n4es3c18152b0kefvk97f60nvwzvmjkcwdg1n4es3c18152b0ksefvk97cw143z899mwz0dhw2x7ks0s80vgj3latestvk97f60nvwzvmjkcwdg1n4es3c18152b0polandvk97f60nvwzvmjkcwdg1n4es3c18152b0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.