ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

poocr vatinvoice2excel

v1.0.0

使用 poocr 库识别发票并导出 Excel。当用户需要识别增值税发票、批量处理发票文件或提取发票信息到 Excel 时调用此技能。

0· 255·0 current·0 all-time
by程序员晚枫@coderwanfeng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md clearly relies on the poocr library and Tencent Cloud SecretId/SecretKey to perform VAT invoice OCR and export to Excel, which fits the claimed purpose. However, the skill metadata lists no required environment variables or primary credential, and the source/homepage are unknown — the declared requirements do not match what the instructions actually need.
Instruction Scope
Instructions stay within the stated purpose (install poocr, call VatInvoiceOCR2Excel, supply input/output paths). However they show hardcoding of SecretId/SecretKey into code examples rather than encouraging safer practices (env vars or secret stores). The SKILL.md points the user to a shortlink (https://curl.qcloud.com/9ExTmaya) to obtain Tencent Cloud keys — this is expected for a Tencent-backed library but the shortlink should be verified.
Install Mechanism
There is no install spec in the registry (instruction-only), but SKILL.md instructs 'pip install poocr'. Using PyPI is common but has inherent supply-chain risk; the skill provides no provenance (source repo or homepage) for the poocr package or for this skill itself.
!
Credentials
The runtime requires Tencent Cloud SecretId and SecretKey, yet the skill metadata lists no required env vars or primary credential. Asking for cloud API credentials is proportionate to OCR via Tencent Cloud, but the omission in metadata and examples that hardcode credentials increases risk (credential leakage, poor handling).
Persistence & Privilege
The skill is user-invocable, not always-on, and instruction-only. It does not request persistent presence or claim to modify other skills or system settings.
What to consider before installing
This skill appears to do what it claims (use poocr + Tencent Cloud to OCR invoices) but the registry metadata fails to declare the required Tencent Cloud credentials and the skill has no source/homepage. Before installing: verify the poocr package and its PyPI/project repository; confirm the curl.qcloud.com link is legitimate; avoid hardcoding SecretId/SecretKey in code (use environment variables or a secrets manager); limit and rotate the API keys you provide; test in an isolated environment; and prefer a skill with clear provenance and declared credentials in its metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dpybhrdndceh15t79kkvvzs830a0y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments