ClawHub

InvoiceForge API

Security checks across malware telemetry and agentic risk

Overview

This invoice API skill is mostly coherent, but it can collect and send sensitive billing and client data to a third-party service from broad invoice-related prompts without a clear consent step.

Install only if you intend to use InvoiceForge for real invoice workflows and are comfortable sending seller, buyer, emails, addresses, invoice line items, tax rates, due dates, and notes to that service. Confirm every invoice creation, batch operation, and status update before submission, and store the API key only in a trusted secret manager.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill description is extremely broad and includes generic invoicing, billing, receipt generation, and 'any invoicing or billing needs' language, which can cause the skill to activate for loosely related requests. Overbroad activation increases the chance that users unintentionally route sensitive financial and customer data to this external service without clear intent or informed consent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The example trigger 'create an invoice for my client' is common natural language that many users may say in a general productivity context, not realizing it invokes a third-party API workflow. In this skill, that broad phrase is more dangerous because the workflow proceeds to collect seller, buyer, and financial details for external transmission.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly asks for an email address to create an account and later collects invoice-related personal and business information, but it provides no privacy notice or explicit warning that this information will be sent to InvoiceForge. This creates a meaningful risk of users disclosing PII and financial data to a third party without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal