Morning (Green Invoice)
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate Morning/GreenInvoice integration, but it can create or update real accounting records with API credentials without an explicit confirmation step.
Review this skill before using it with a production Morning account. Only provide a dedicated API key if you trust the connected `morning` tool, and insist on reviewing and confirming the exact client, item, or document payload before anything is created or updated.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or autonomous invocation could create or alter clients, items, invoices, receipts, or similar accounting documents in the user's Morning account.
These supported actions include mutating real business/accounting data, but the documented workflow does not require a final user confirmation or payload review before creating or updating records.
Supported actions - `getToken` - `createClient` - `createItem` - `createDocument`
Require explicit user confirmation before every create/update action, show the final payload to be submitted, and prefer sandbox/test accounts or least-privilege API keys where available.
Anyone or anything using these credentials may be able to act on the user's Morning account within the API key's permissions.
The skill collects provider API credentials and handles JWTs. This is expected for a Morning integration and includes a no-echo guardrail, but the credentials can authorize sensitive account actions.
Authentication - `apiKeyId` - `apiKeySecret` ... Never log or echo `apiKeySecret` or JWTs back to the user.
Use a dedicated, least-privilege API key if Morning supports it, provide secrets only in a trusted session, and revoke or rotate the key if it may have been exposed.
Security depends on the external `morning` tool implementation available in the user's environment, not just this SKILL.md.
The reviewed artifact is instruction-only and no implementation for the referenced `morning` tool is included, so the actual tool behavior and provenance cannot be verified from these artifacts.
Use the `morning` tool with an `action` field.
Verify the installed or connected `morning` tool separately before using real API credentials or creating production accounting documents.