Agent Invoice Generator
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward local invoice generator, but it stores billing data on disk and includes optional email/recurring workflows that users should control carefully.
Use this skill if you are comfortable storing invoice data locally. Review generated invoices before sending, require explicit confirmation before using any email skill, and only set up recurring cron jobs if you know how to monitor and disable them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Client names, business contact details, invoice amounts, and payment status may remain on the local machine.
The script persists business profile data and full invoice records locally, which is expected for listing, viewing, and marking invoices paid but may include sensitive client and billing information.
CONFIG_PATH = Path.home() / ".openclaw" / "invoice-config.json"
DATA_PATH = Path.home() / ".openclaw" / "invoices"
... (DATA_PATH / f"{invoice['number']}.json").write_text(json.dumps(invoice, indent=2))Use on trusted devices, review file permissions, and delete ~/.openclaw/invoices or ~/.openclaw/invoice-config.json when the records are no longer needed.
An invoice could be emailed to a client if the agent uses a configured email tool as part of the workflow.
The skill documents chaining to another email-capable tool. Sending invoices externally is related to invoicing, but it is a high-impact action if done without final user review.
Optional: email invoice directly via configured email skill
Require explicit confirmation of recipient, attachment, totals, and message text before any invoice email is sent.
If configured, invoices may continue to be generated or delivered automatically after the initial setup.
The recurring-invoice instructions describe persistent scheduled behavior. This is disclosed and purpose-aligned, but the documentation does not define approval, recipients, or disable steps.
Set up as a cron job for automatic generation and delivery.
Only create recurring cron jobs manually after reviewing the schedule, recipients, and stop procedure.
Untrusted invoice text could affect the local HTML invoice display or run browser-side script in the generated file.
When reportlab is unavailable, the fallback HTML output inserts invoice fields directly into HTML without escaping. If invoice fields contain HTML or script content, it may render when the local HTML file is opened.
html += f"<tr><td>{item['description']}</td><td>{item['quantity']}</td>..."
... html += f'<div class="notes"><strong>Notes:</strong><br>{invoice["notes"]}</div>'Prefer PDF output, avoid untrusted HTML in invoice fields, or update the HTML fallback to escape user-supplied text.