FreshBooks CLI
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for FreshBooks billing work, but it handles FreshBooks credentials and can modify financial records through a third-party CLI package.
Before installing, confirm you trust the third-party CLI package and are comfortable granting it FreshBooks access. Use it carefully for financial records, review every invoice/client change before approving it, and log out or revoke access when you no longer need the integration.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could create or change client and invoice records in FreshBooks.
The documented commands can change FreshBooks clients and invoices, which is sensitive financial/business data. The behavior is disclosed and purpose-aligned, and the skill instructs confirmation before modifications.
`freshbooks clients create ...`, `freshbooks clients update <id> --data '<json>'`, `freshbooks invoices create ...`, `freshbooks invoices update <id> --data '<json>'`, `freshbooks invoices archive <id>` ... `Confirm with the user before creating invoices or modifying billing data.`
Only approve write actions after reviewing the exact client, invoice, amount, and payload; use read-only/list commands first when possible.
Anyone or anything able to use the stored token could access the connected FreshBooks account according to the granted permissions.
The CLI uses FreshBooks OAuth credentials and stores refreshable tokens locally. This is expected for the integration, but it grants ongoing access to the connected FreshBooks account.
`freshbooks auth login --client-id "<FRESHBOOKS_CLIENT_ID>" --client-secret "<FRESHBOOKS_CLIENT_SECRET>" --manual` ... `Tokens are stored at ~/.config/freshbooks-cli/config.json (0600 permissions) and auto-refresh before expiry.`
Use FreshBooks credentials intended for this CLI, protect the config file, run `freshbooks auth logout` when finished, and revoke the app/token in FreshBooks if no longer needed.
The installed package will handle OAuth credentials and FreshBooks operations, so its provenance matters.
The skill depends on an external third-party package for the actual CLI behavior, while the supplied artifacts contain only instructions and no package code for review.
`npm install -g @haseebuchiha/freshbooks-cli` ... `Requires .npmrc with @haseebuchiha:registry=https://npm.pkg.github.com for GitHub Package Registry.`
Install only if you trust the package publisher and registry source; verify the package contents or source repository before using it with real FreshBooks credentials.