校验XML数电票
v1.0.0验证XML文件是否为中国数电票(全面数字化电子发票)格式。检查XML结构、必需字段和数电票特征。当用户需要验证XML是否为数电票、检查数电票格式合规性、或处理电子发票XML文件时使用。
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description match the actual instructions and included Python validation script: it parses a local XML file, checks for EInvoice root, required fields (EIid, InvoiceNumber, SellerIdNum, BuyerIdNum), signature presence, and prints a report. No unrelated credentials, binaries, or network access are requested.
Instruction Scope
Instructions operate only on a user-supplied XML file (expected). However, the example uses xml.etree.ElementTree.parse() without protections against XML External Entity (XXE) attacks or billion‑laughs-style entity expansion. The script also prints sensitive fields (taxpayer IDs, invoice numbers) but gives no guidance about handling or redaction of personally identifiable information.
Install Mechanism
Instruction-only skill with no install spec and no code files beyond SKILL.md (which includes a small Python example). Nothing is downloaded or written to disk by an installer — low install risk.
Credentials
No environment variables, credentials, or config paths are requested. The skill does process sensitive invoice data from user-supplied files, which is expected for the task but worth noting as a privacy consideration.
Persistence & Privilege
Skill is not always-enabled and requests no elevated privileges or persistent system changes. It does not modify other skills or system-wide configuration.
Assessment
This skill appears to do what it says (validate Chinese e-invoice XML) and does not ask for credentials, but before using it consider: 1) Don't run the script on untrusted XML in a sensitive environment — xml.etree.ElementTree.parse() can be unsafe for malicious XML; prefer defusedxml or explicitly disable DTD/entity processing. 2) The script prints invoice numbers and taxpayer IDs (sensitive PII); redact or run validation in a trusted/isolated environment if you care about privacy. 3) If you will integrate this into production, add robust namespace handling, input size limits, and explicit safe XML parsing to prevent DoS or XXE. If you need, I can suggest a hardened Python implementation that mitigates XXE and large-entity attacks and that redacts or masks PII in reports.Like a lobster shell, security has layers — review code before you run it.
latestvk971vkz8ebtrard7b0br52zmvd84d4dm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.