ClawHub

InvoiceForge API

v1.0.0

Generate professional PDF invoices using InvoiceForge API - create, manage, and download invoices for freelancers, agencies, consultants, small businesses, S...

0· 216·0 current·0 all-time
by@jbennett111
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes creating and managing invoices via an API and the curl examples map to that purpose (create key, create/list invoices, download PDF). However the skill's source/homepage is unknown and the API domain (invoiceforge.vosscg.com) is not documented or referenced elsewhere in metadata, which weakens provenance and trustworthiness.
!
Instruction Scope
The runtime instructions tell the agent to collect the user's email and POST it to an external API to create an API key — this entails sending personal data to a third party automatically. The instructions also say to “store the API key securely” but give no guidance on where or how; the agent could end up storing credentials in an unexpected place. These behaviors are within the invoicing scope but carry privacy and exfiltration risk because the external service and account-creation flow are unverified.
Install Mechanism
No install spec and no code files (instruction-only) means nothing will be written or installed by the skill itself. This reduces filesystem/remote-install risk.
Credentials
The skill declares no required environment variables or credentials, yet the instructions require an API key obtained from the external service and say to save it for future use. There is a mild mismatch: users/agents will need to store and provide an API key at runtime even though no env vars are declared. That lack of explicitness can lead to insecure handling of secrets.
Persistence & Privilege
always is false and the skill does not request persistent/global privileges. The default ability for the agent to invoke the skill autonomously is enabled (platform default) but not combined with other high-risk privileges here.
What to consider before installing
This skill appears to do what it says (create/download invoices), but the API endpoint and publisher are unverified. Before installing: 1) Verify the vendor/domain (invoiceforge.vosscg.com) and look for an official homepage, privacy policy, or company identity. 2) Prefer to create the API key yourself on the vendor site and paste it into the agent rather than giving the agent your email and letting it create an account automatically. 3) Ensure the agent will store the API key in a secure secret store (not plaintext chat or logs) and rotate/delete keys you no longer use. 4) Test with non-sensitive sample data first. 5) If you need higher assurance, ask the publisher for documentation or move to a known, audited invoicing provider.

Like a lobster shell, security has layers — review code before you run it.

latestvk972xa2ebdg8hjr05me8e5x5k182bcyd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments