Skillv1.0.0

ClawScan security

Agent Invoice Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 2:49 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions are consistent with an invoice/PDF generator: it reads/writes local config and invoice files, produces PDFs/HTML, and does not request external credentials or network access.
Guidance: This skill appears to do what it claims (create and store invoices locally). Before installing or running it, consider: 1) Local storage/privacy — it writes business info and invoice JSON to ~/.openclaw and PDFs/HTML to ~/Documents/Invoices; treat those files as potentially sensitive and confirm file permissions and backups. 2) Review the full script on disk (you saw a truncated listing); ensure there are no hidden network calls or telemetry before trusting it with real customer data. 3) reportlab is an optional dependency for PDF output — if you install it, use a trusted source (pip from PyPI) and review package provenance. 4) Recurring invoicing suggestions (cron) and 'email via configured email skill' require separate careful configuration: mailing requires credentials and should be reviewed before enabling automatic delivery. 5) Concurrency note: invoice numbering increments the config file on generation and could race in concurrent runs; if you will run this in parallel, consider locking or single-threaded operation. If you want higher assurance, run the script in a sandboxed environment and inspect the full file contents before giving it access to real data.

Review Dimensions

Purpose & Capability: okThe name and description (generate invoices, PDF output, recurring, payment tracking) match the provided script. The script implements invoice creation, numbering, storage, PDF/HTML generation, listing and marking paid — all coherent with the stated purpose.
Instruction Scope: noteSKILL.md instructs use of scripts/invoice.py and documents storage locations (~/.openclaw/invoice-config.json, ~/.openclaw/invoices, ~/Documents/Invoices). That scope is appropriate for an invoicing tool, but the skill stores invoice data and business info unencrypted on disk (privacy risk). SKILL.md also suggests recurring invoices via cron and optional emailing via an external 'email skill' (email sending is not implemented in the provided script and would require separate credential/config review).
Install Mechanism: okThis is instruction-only with an included Python script; there is no install spec, no downloads, and no third-party install automation. It optionally depends on the reportlab Python package for PDF output (fallback to HTML if missing).
Credentials: okThe skill declares no required environment variables, credentials, or config paths beyond application-specific file locations under the user's home directory. No unrelated secrets or external service keys are requested.
Persistence & Privilege: noteThe skill persists configuration and invoice JSON files under ~/.openclaw and writes PDF/HTML invoices to ~/Documents/Invoices. It does not request always:true or modify other skills. Persisting potentially sensitive billing data locally is expected behavior but worth noting for privacy and backup/permission considerations.