FinOne Accounting (VN Merchants)
WarnAudited by ClawScan on May 18, 2026.
Overview
This accounting skill is purpose-aligned, but it can change or publish financial records through a remote MCP server using only a stored FinOne user ID, so it needs careful review before use.
Before installing, verify that https://api-uat.vbill.vn/mcp is the official FinOne/Vbill MCP endpoint and that the server enforces authorization beyond a userId. Use the skill only in trusted sessions, confirm the active userId before sensitive actions, and require explicit approval before publishing e-invoices, deleting invoices, syncing data, or changing product/VAT settings.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong userId is used, or if a shared agent's memory is incorrect, actions could be taken against the wrong merchant's accounting account.
The artifact describes account access as header-less and driven by a userId stored in memory, while the same skill can create, delete, sync, and publish invoice data. That is high-impact financial authority without a clearly described credential or authorization boundary.
Auth is header-less. Each tool call takes a `userId` argument. The merchant's FinOne `userId` lives in the agent's memory
Verify that the MCP server enforces real server-side authorization beyond the userId, and use this only in trusted sessions where the active merchant identity is explicitly confirmed.
Mistaken tool use could delete internal invoices, publish official e-invoices, or change product pricing/VAT data.
The exposed tools are directly capable of changing business/accounting records. This is aligned with the skill's purpose, and the irreversible e-invoice action has a confirmation rule, but the capability is still high impact.
`deleteInvoice({userId, invoiceId})` - delete an internal invoice ... `createEInvoice({userId, invoiceId})` - publish the e-invoice officially. **Not reversible.** ... `updateProduct({userId, productName, updateData})` - update price / VATRequire clear user confirmation before every destructive or business-changing action, not only before official e-invoice publication.
Private invoices, customer details, prices, VAT, and revenue/expense information may be processed by the remote FinOne/Vbill MCP service.
Invoice text and uploaded invoice images may be sent to a remote MCP server for OCR and accounting operations. This is expected for the stated integration, but it is sensitive financial data.
The skill calls the FinOne MCP server at `https://api-uat.vbill.vn/mcp` ... `createInvoice({userId, invoiceData})` ... Accepts a text payload or an image (OCR built-in).Only upload invoices intended for FinOne/Vbill processing, and verify the MCP endpoint is the official service before configuring it.
A stale or incorrect remembered userId could cause the agent to query or modify the wrong merchant account.
The skill intentionally reuses a persistent memory value to select the merchant account. The artifact includes a shared-user confirmation safeguard, but the stored value still has financial impact if stale or incorrect.
Treat `finone.userId` in memory as the user's last-confirmed binding, not a fixed identity for the agent.
Confirm the active FinOne userId at the start of each sensitive session, especially in shared chats or shared agent deployments.
Users have less independent context for verifying that the skill and endpoint are officially maintained by the expected provider.
The package has no provided source or homepage while instructing users to configure a remote financial MCP service. This is not malicious by itself, but provenance is limited.
Source: unknown; Homepage: none
Confirm the skill publisher and MCP URL with FinOne/Vbill documentation or support before using it for real merchant accounting data.