Invoices
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only invoice organizer is coherent and purpose-aligned, but it handles sensitive financial documents and optional email/OCR flows that users should configure carefully.
This skill appears safe to install as an instruction-only invoice organizer. Before using optional automation, limit email access to invoice-specific folders or accounts, confirm before changing email state, and protect the long-term ~/invoices archive because it may contain tax IDs, payment details, and other sensitive financial data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured too broadly, the agent could inspect non-invoice email or change message status in a way the user did not intend.
Optional email integration would require access to the user's email account and can mutate email state by marking messages as processed.
If user configures email access: 1. Scan inbox for invoices ... 3. Mark as processed in email
Use a dedicated mailbox, folder, or label for invoices where possible, and require confirmation before marking emails as processed.
Invoice totals, provider details, tax IDs, payment references, and similar financial data may remain stored and searchable for a long time.
The skill creates persistent, searchable local records of invoice metadata and processing state.
entries.json # All invoice metadata (searchable) └── state.json # Processing state
Keep the ~/invoices folder private, include it only in trusted backups, and periodically review what metadata is retained.
Depending on the runtime, sensitive invoice contents could be processed outside the local machine.
OCR may involve sending invoice content to a vision model or provider, but the artifact does not specify the processing boundary.
If image/scanned PDF → use vision model for OCR
Confirm which OCR/model provider is used, avoid processing highly sensitive invoices without consent, and redact personal data when exporting or sharing.