Invoice Generator Pro
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoice details are copied from untrusted sources, a generated HTML invoice could contain active or misleading HTML content.
User-supplied invoice fields are inserted directly into HTML output without escaping. This is purpose-aligned for generating invoices, but untrusted field values containing HTML or script could render unexpectedly when the generated file is opened.
ITEM_ROWS_HTML+=" <tr><td>${desc}</td><td>${qty}</td><td>${rate_fmt}</td><td>${amt_fmt}</td></tr>\n"Use trusted invoice data, prefer Markdown for untrusted text, or update the script to HTML-escape client names, emails, item descriptions, and other inserted fields.
A mistaken output path could overwrite a local file with the generated invoice.
The optional output parameter writes directly to the user-specified path and will overwrite an existing file. This is disclosed and expected for an invoice generator, but users should choose paths carefully.
if [[ -n "$OUTPUT" ]]; then echo -e "$1" > "$OUTPUT"; echo "Written to $OUTPUT"
Review the requested output path before running the skill, avoid protected or important files, and consider adding overwrite confirmation or no-clobber behavior.
The skill may fail on systems where bc is not installed.
The script depends on the bc command for calculations, while the metadata lists no required binaries. This is an under-declared dependency rather than suspicious behavior.
amount=$(echo "$qty * $rate" | bc)
Declare bc as a required binary or document that users must install it before using the script.