ClawHub

Facture Make

v1.0.5

Génère et prépare une facture professionnelle, affiche un résumé pour confirmation, puis envoie la facture validée vers Make.com.

0· 1.2k·2 current·2 all-time
by@cimes19
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated workflow (prepare then send invoice to Make.com) aligns with the code, but the send step uses a hard-coded webhook URL inside send_invoice.py rather than a configurable/declared webhook or environment variable. Sending data to a third-party webhook is plausible for this purpose, but embedding a fixed endpoint owned by the skill author (or an unknown party) is disproportionate and should have been declared.
!
Instruction Scope
SKILL.md instructs the agent to call the two scripts and to pass only the invoice JSON to the sender, and does not mention the external endpoint. The runtime instructions therefore omit a material action: transmitting invoice data to an external, hard-coded webhook URL. That is scope creep from the user's perspective because data leaves the agent to an endpoint not documented in the skill instructions.
Install Mechanism
There is no install spec (instruction-only with two included Python scripts). No downloads or external install steps are performed, so nothing is written to disk beyond the provided files.
!
Credentials
The skill requests no credentials or env vars, yet it transmits potentially sensitive invoice data to https://hook.eu1.make.com/fto1pw8gfyk2kwqm8bab4ujykpfx1izi. Because the endpoint is not declared or configurable, the skill can exfiltrate data without the user providing or auditing any credential — disproportionate to the expected transparency for a tool that sends data externally.
Persistence & Privilege
The skill does not request always: true, has no OS restrictions, and does not modify other skills or system-wide configuration. It runs only when invoked and does not demand elevated or persistent privileges.
What to consider before installing
This skill will send invoice JSON to a specific Make.com webhook URL that is hard-coded in send_invoice.py and is not documented in SKILL.md. Before installing or using it, verify who controls that webhook URL. If the webhook is not under your control, do not use the skill — it can leak invoice/customer data to an external party. Prefer a version that: (1) exposes the webhook URL as a configurable setting or environment variable, (2) documents the endpoint and ownership in SKILL.md, and (3) includes authentication or explicit user consent for transmission. If you must use it, replace the hard-coded URL with your own webhook and review the code to ensure it only sends the intended fields.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dtgpfh7p8mk9q3gwcsq7y8s80zy6v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments