ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

invoice-merger

v1.0.5

合并发票文件。PDF 按两两上下排版,图片按四宫格排版,统一裁剪线与安全边距,输出到 YYYYMMDD--已合并 目录,重复执行会自动跳过历史合并文件并按编号继续生成。

0· 90·0 current·0 all-time
by@cdk1025
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (invoice merging) align with the included Python script which uses pypdf and Pillow to merge PDFs/images. However, SKILL.md's install commands reference a different package owner/slug (cdk1025/invoice-merger) than the registry owner id presented (kn76tcc5...), which is an inconsistency worth checking (likely copy/paste or packaging mismatch).
Instruction Scope
SKILL.md and the script restrict activity to local file-system processing of PDFs and images in the given directory and explicitly skip previously generated merged files. The script will open the generated output using the system default opener (via subprocess), and it processes any directory the user supplies — so avoid pointing it at system or sensitive directories. No instructions or code attempt network access or read environment variables.
Install Mechanism
No install spec is included in the registry metadata; the skill is delivered with a Python script and the README recommends installing only pypdf and Pillow via pip. The SKILL.md mentions optional npx/ClawHub install paths (which refer to a different slug/owner); this is a documentation inconsistency but the actual code is local and requires only standard Python packages.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The code imports only pypdf and Pillow and otherwise operates on local files — the requested capabilities are proportionate to the stated purpose.
Persistence & Privilege
The skill does not demand always: true and does not modify other skills or global agent settings. It runs on-demand and does not persist credentials or change system-wide configuration. The script will create an output folder in the input directory as described.
What to consider before installing
What to check before installing/ running: - Verify origin: the registry owner id (kn76t...) does not match the slug used in the README/install examples (cdk1025). Confirm you have the correct package/source before running install commands that fetch remote code. - Inspect the script (scripts/merge_invoices.py) yourself — it's short and readable; it only uses pypdf and Pillow and operates on files in the directory you pass. Make sure you trust the script copy you will execute. - Run in a safe/test directory first (not system folders or directories containing secrets). The tool processes any directory you point it at and will create/modify files there. - The script will automatically open the generated PDF using the system default viewer (uses subprocess). If you prefer not to auto-open outputs, edit/remove that behavior before running. - Use a Python virtual environment and install dependencies locally (python -m venv .venv; source .venv/bin/activate; pip install pypdf Pillow). - If you want higher assurance, run the script offline (no network) and audit the remainder of the truncated code path to confirm there are no hidden network calls or unexpected behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk9789pd6tb2h66fbfav9k9xd0983pgss

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments