Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Invoice
v1.0.0Create and send professional invoices with automatic numbering, tax calculation, templates, and payment tracking.
⭐ 2· 827·5 current·7 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (invoice creation, numbering, taxes, templates, tracking) match the SKILL.md and supporting docs. Required artifacts (client DB, series.json, templates, PDFs, email) are all aligned with invoicing needs; nothing asks for unrelated cloud or system credentials.
Instruction Scope
Instructions explicitly read/write files under ~/billing, generate PDFs (via browser print/WeasyPrint/Puppeteer) and optionally send email. These actions are appropriate for the purpose, but the docs assume external tooling (weasyprint, headless browser or an SMTP mechanism) that the skill does not install or declare. Recurring invoice behavior implies the agent or host will run scheduled tasks — verify how scheduling/automation is handled by your agent platform.
Install Mechanism
Instruction-only skill with no install spec and no code files; lowest install risk. It references external tools (WeasyPrint, Puppeteer) but does not download or execute remote installers itself.
Credentials
The skill does not request environment variables or credentials in metadata, which is proportional. It will ask the user to configure and store sensitive business data locally (business name, tax ID, IBAN, optionally email/SMTP credentials). Storing those data locally is expected for invoicing, but the skill does not describe secure storage/encryption or how SMTP credentials (if used) are provided — you should avoid supplying secrets unless you trust the runtime environment.
Persistence & Privilege
always:false (normal). The skill allows autonomous invocation (platform default), which is required for features like recurring invoices and alerts; this is expected but you should confirm whether your agent platform will actually run background/scheduled tasks and with what permissions. The skill does not attempt to modify other skills or global config.
Assessment
This skill appears internally consistent for local invoice creation, but review these before installing:
- Data sensitivity: it will ask you to store personal/business financial data (tax IDs, IBANs, emails) under ~/billing. Keep that directory protected and back it up securely.
- Email sending: the skill references sending invoices by email but does not request SMTP credentials in metadata — you will need to provide and protect any mail credentials yourself; don't paste secrets into public chat or insecure places.
- PDF tooling: PDF generation mentions WeasyPrint, Puppeteer or browser print. Those tools may need to be installed separately; the skill won’t install them for you.
- Automation/recurring invoices: recurring generation requires the agent/platform to run scheduled tasks. Confirm how your agent handles autonomous or scheduled runs and what filesystem/email/network permissions it has.
- Legal/tax submissions: the docs mention TicketBAI/Facturae and certificate-based submission but do not implement remote submission. If you need electronic filing, plan for secure certificate storage and official submission tooling.
If you accept storing billing data locally and will manage any required external tools/SMTP credentials securely, the skill’s behavior matches its description. If you need guarantees about secret handling or automatic background actions, ask the skill author or platform vendor for details on scheduling, credential storage, and required binaries.Like a lobster shell, security has layers — review code before you run it.
latestvk973k706vz0bjpkq4gc3da35j9812qjj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.