Invoice Generator Pro
PassAudited by ClawScan on May 1, 2026.
Overview
This is a straightforward local invoice generator with no credential or network access, though users should be careful with HTML inputs and output file paths.
Before installing, note that this skill runs a local shell script to generate invoice files. Use trusted invoice text for HTML output, choose output paths carefully to avoid overwriting files, and make sure the bc command is available on your system.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoice details are copied from untrusted sources, a generated HTML invoice could contain active or misleading HTML content.
User-supplied invoice fields are inserted directly into HTML output without escaping. This is purpose-aligned for generating invoices, but untrusted field values containing HTML or script could render unexpectedly when the generated file is opened.
ITEM_ROWS_HTML+=" <tr><td>${desc}</td><td>${qty}</td><td>${rate_fmt}</td><td>${amt_fmt}</td></tr>\n"Use trusted invoice data, prefer Markdown for untrusted text, or update the script to HTML-escape client names, emails, item descriptions, and other inserted fields.
A mistaken output path could overwrite a local file with the generated invoice.
The optional output parameter writes directly to the user-specified path and will overwrite an existing file. This is disclosed and expected for an invoice generator, but users should choose paths carefully.
if [[ -n "$OUTPUT" ]]; then echo -e "$1" > "$OUTPUT"; echo "Written to $OUTPUT"
Review the requested output path before running the skill, avoid protected or important files, and consider adding overwrite confirmation or no-clobber behavior.
The skill may fail on systems where bc is not installed.
The script depends on the bc command for calculations, while the metadata lists no required binaries. This is an under-declared dependency rather than suspicious behavior.
amount=$(echo "$qty * $rate" | bc)
Declare bc as a required binary or document that users must install it before using the script.