Invoice Verification Service

The skill's code and instructions align with an invoice-verification tool, but the runtime instructions push a specific external API host (not documented on the homepage) and the bundled script will send invoice text/images and stored keys to whatever backend is configured — this inconsistency and the implicit transmission of sensitive data warrant caution.

This skill appears to be an honest invoice-verification helper, but it will send invoice text and image data to whichever API base URL you configure and will store an appKey in ~/.openclaw/invoice-skill/config.json. Before installing or running init-key: (1) inspect the bundled scripts yourself (you already have scripts/invoice_service.js) and confirm you understand what data will be sent; (2) do NOT blindly use the SKILL.md first-time-setup API host — that host is not documented elsewhere in the package and could receive your invoices and keys; set api-base-url to a backend you trust (for example a local instance) or your organization's verified endpoint; (3) check ~/.openclaw/invoice-plugin/config.json for any sensitive keys the script might read and remove/backup if needed; (4) if you need confidentiality for invoice data, avoid sending real invoices to unknown external hosts and consider running a private backend; (5) if uncertain, run the script in a sandboxed account or container and avoid calling init-key until you confirm the backend is trustworthy.