ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Invoices

Capture, extract, and organize received invoices with automatic OCR, provider detection, and searchable archive.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 979 · 1 current installs · 1 all-time installs
byIván@ivangdavila
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description align with the instructions: capture, OCR/parse, validate, organize, and search invoices. There are no unexpected required binaries, environment variables, or install steps that would contradict the stated purpose.
Instruction Scope
The SKILL.md/process.md explicitly allows optional email integration, downloading invoices from URLs, and sending documents to a 'vision model' for OCR and to the VIES API for VAT validation. These actions are coherent for invoice processing but can cause broader data access (email inbox, network transfers). The skill does not specify whether OCR/VIES calls run locally or send data to external services, which affects privacy/exfiltration risk.
Install Mechanism
Instruction-only skill with no install spec and no code files. This minimal footprint is consistent with the stated behavior and reduces installation risk (nothing is written to disk by an installer).
Credentials
The skill declares no required environment variables or credentials, which is proportionate. However, useful features (email scanning, portal downloads, VIES validation, remote OCR) will require the user to provide credentials or enable connectors outside the skill. The skill reads/writes user files under ~/invoices/ and handles potentially sensitive personal data (invoices), so data-flow and credential management should be considered before enabling integrations.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent platform presence or modifications to other skills. It writes only to its own stated folder structure and tracks its own state files, which is appropriate for its function.
Assessment
This skill appears internally consistent with its invoice-management purpose, but review these before enabling: - Storage and backups: the skill stores originals and derived files under ~/invoices/; confirm you are comfortable with that path, ensure backups are encrypted and retention policies meet your legal needs. - Email and portal access: email monitoring and URL downloads are optional but require you to provide credentials or connectors. Only configure these if you trust the agent and understand which account it will access. - OCR and VAT validation: the docs mention a 'vision model' and the VIES API but do not state whether processing is local or sent to third-party services. Ask (or test) where OCR and VIES requests are executed; sending invoice images externally can leak sensitive data. - Test with non-sensitive data: before putting real or confidential invoices through automation, run a trial with redacted or dummy invoices to verify naming, deduplication, validation logic, and data flows. - GDPR/PII: invoices may contain personal data. Use redaction or limit exports, and confirm export destinations are compliant with your jurisdictional rules. - Retention and deletion: the skill's rule is to never delete originals; if you need different retention, prepare a manual policy or modify behavior before bulk import. If you need the skill to access email/remote services, require explicit, auditable configuration and verify that network calls (OCR/VIES) go to trusted endpoints. Otherwise the skill is coherent and appropriate for the stated purpose.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk97b4qp007gzgmz485xx4rwcd18123r0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Trigger

Use when user receives invoices (email, photo, PDF) and wants them organized automatically.

Key difference: This skill MANAGES received invoices. The invoice skill CREATES invoices to send.

Storage

~/invoices/
├── inbox/                    # Unprocessed files awaiting extraction
├── archive/                  # Organized by year/month
│   └── 2026/
│       └── 02/
│           └── 2026-02-13_Hetzner_INV-12345_89.50.pdf
├── providers/                # Provider metadata
│   └── index.json
├── entries.json              # All invoice metadata (searchable)
└── state.json                # Processing state

Quick Reference

TopicFile
Capture and extraction workflowprocess.md
Fields to extractextraction.md
Search queries and reportssearch.md
Legal requirements by countrylegal.md

Process Summary

  1. Capture — Receive invoice (email attachment, photo, direct PDF). Copy to inbox/.
  2. Extract — OCR if needed, parse fields (provider, date, amounts, tax).
  3. Validate — Check required fields, detect duplicates.
  4. Organize — Rename, move to archive/YYYY/MM/, update entries.json.
  5. Confirm — Show extracted data, allow corrections.

See process.md for detailed workflow.

Critical Rules

  • Never delete originals — Keep PDFs permanently. Legal requirement (4-6 years depending on country).
  • Detect duplicates — Same invoice number + provider = duplicate. Alert, don't overwrite.
  • Validate tax math — Base + tax should equal total. Flag discrepancies.
  • Provider normalization — "HETZNER ONLINE GMBH" = "Hetzner". Maintain provider aliases.

Alerts

  • Invoice pending >48h in inbox
  • Payment due in <7 days
  • Unusual amount (>50% higher than same provider average)
  • Missing expected recurring invoice

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…