invoice-merger
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The artifacts show a coherent local invoice/PDF/image merging tool, with only expected local file processing, dependency installation, and preview-opening behavior to notice.
This appears safe for its stated purpose. Before installing, know that it processes local invoice files in the folder you choose, creates a dated merged-output folder, may require installing pypdf and Pillow, and opens the generated PDF for preview. Use a dedicated folder and a virtual environment if you want tighter control.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If unrelated PDFs or images are in the selected folder, they may be read and merged into the output PDF.
The script enumerates matching files in the user-supplied directory for processing. This is the intended function, but it means every supported PDF/image file in that folder may be included.
return sorted(
p for p in Path(directory).iterdir() if p.is_file() and p.suffix.lower() in ext_set
)Run the skill only on a dedicated folder containing the invoices or images you intend to merge, then review the generated output.
Installing dependencies may change the local Python environment and will retrieve package code from the package source used by pip.
The skill documents installing third-party Python packages without version pins. These packages are expected for PDF/image handling, but installation depends on the configured package index and mutates the Python environment.
python -m pip install pypdf Pillow
Use a virtual environment if possible, install from trusted package indexes, and pin versions if repeatability matters.
After merging, your default PDF viewer or related application may open automatically.
The skill discloses that it will automatically open the generated output file with the system default application. This is purpose-aligned preview behavior, but it launches a local application after processing.
生成后会按系统默认程序自动打开本次输出文件(macOS / Windows / Linux)
Expect the preview launch, and run the skill only with files and default viewer settings you are comfortable using.