Skillv1.0.0

ClawScan security

Emissor de Nota Fiscal Paulistana · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 9:50 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally matches its stated purpose (emit/cancel NFS-e) but contains several incoherencies around credentials, file expectations, and autonomous file writes that a user should review before installing.
Guidance: This package appears to implement the advertised São Paulo NFS-e flows, but review these points before installing or using it with real certificates: 1) The code expects a municipal certificate (.p12) and the NFSE_CERT_PASSWORD env var, but the skill metadata does not declare those — expect to provide a certificate file and a password. 2) SKILL.md instructs the agent to create/modify files (config.json, .env, tomadores.json, contador_rps.txt). If you don't want the agent writing files, do not allow the automated wizard; instead configure files manually. 3) The README advises putting the certificate password into a plaintext .env file — store secrets securely (restrict file permissions, or use a secrets manager) and remove the .env from backups/version control. 4) The SKILL.md references env.example which is not included; verify the setup steps and supply your own .env if needed. 5) The scripts create temp PEM files and write debug/response XML to disk — audit those files for sensitive content and ensure temporary files are removed and access-restricted. 6) Verify dependencies (requests, lxml, signxml, cryptography, python-dotenv) are installed in a controlled environment. Recommended safe steps: test in an isolated environment with a revoked/test certificate; inspect the code yourself (or with a developer) before adding a production certificate; restrict file permissions on the certificate and .env; and avoid letting the agent perform automatic writes if you prefer manual control. If you want, provide me with specific lines or behaviors to inspect further (e.g., confirm absence of external, unexpected network endpoints or detect any code paths that upload files to non-official hosts).

Review Dimensions

Purpose & Capability: concernThe code and SKILL.md implement São Paulo NFS-e operations (issue, cancel, download) and call official prefeitura endpoints — this matches the name/description. However the registry metadata declares no required env vars or config paths while the code and docs clearly expect a certificate file (a .p12) and the NFSE_CERT_PASSWORD environment variable / .env file. Also SKILL.md references an env.example template that is not present in the file manifest. These mismatches are disproportionate to the stated metadata and may lead to unexpected behavior.
Instruction Scope: concernSKILL.md instructs the agent to read and write workspace files (config.json, tomadores.json, contador_rps.txt), create/rename a hidden .env, and autonomously populate config.json after an interactive wizard. Asking the agent to create hidden files and write configuration and to instruct the user how to paste secret passwords into .env is within the functional scope of setup, but grants the agent broad filesystem-write actions and handling of secrets — more scope than what the registry metadata declares and something users should explicitly consent to.
Install Mechanism: noteThis is an instruction-and-code bundle with no install spec (lowest installation risk). The Python scripts require third-party libraries (requests, signxml, cryptography, lxml, python-dotenv) but the package makes no installation or dependency instructions in the registry metadata — the absence of an install spec is plausible but incomplete; the user must ensure the runtime has the required packages.
Credentials: concernThe skill requests/uses sensitive artefacts: a municipal certificate file (.p12) and the NFSE_CERT_PASSWORD environment variable (read via dotenv and os.environ). Yet the registry metadata lists no required environment variables or config paths. Storing the password in a plaintext .env file (as instructed) is insecure unless file permissions are hardened. The number and sensitivity of required secrets are proportionate to the functionality, but the missing declarations and the plaintext .env guidance are concerning.
Persistence & Privilege: notealways is false and the skill is user-invocable; autonomous invocation is allowed and used by the SKILL.md (e.g., the wizard that writes config.json). The skill modifies files within its own workspace (normal) and creates temporary PEM files when making TLS client-authenticated requests (expected). This is acceptable for the purpose but the combination of autonomous file writes + secret handling + invoking other skills (e.g., the 'GOG' e-mail skill) increases the blast radius and should be considered by the user.