v1.0.0

Morning (Green Invoice)

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:30 AM.

Analysis

This skill is not clearly malicious, but it asks the agent to use Morning API credentials to create or change accounting records through an undeclared tool, so it should be reviewed carefully before use.

GuidanceBefore installing, confirm that you trust the `morning` tool provider, use a restricted Morning API key if available, and require the agent to show and confirm all client/item/document details before creating or updating accounting records.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

- Create/update **clients**
- Create/update **items**
- Create **documents** (invoice / receipt / quote / order / credit / debit)

These are purpose-aligned actions, but they can materially affect financial records and customer-facing documents. The instructions do not clearly require a final user approval step before mutation.

User impactThe agent could create or modify clients, items, invoices, receipts, or credit/debit documents if invoked with the needed details.

RecommendationRequire explicit user confirmation before every create/update operation, especially before issuing invoices, receipts, credits, or debits.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceMediumStatusConcern

install spec

No install spec — this is an instruction-only skill.

The SKILL.md tells the agent to use a `morning` tool, but the provided artifacts contain no implementation or install specification for that credential-receiving, account-mutating tool.

User impactThe sensitive behavior depends on a tool implementation that is not visible in the provided package artifacts.

RecommendationVerify that the `morning` tool is supplied by a trusted source and has clear credential handling and action limits before providing API secrets.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

Authentication
- `apiKeyId`
- `apiKeySecret`

The skill asks the agent to collect Morning API credentials, but the registry declares no primary credential or required environment variables. These credentials can authorize account-level accounting actions.

User impactA user could give the agent credentials that allow creating or changing real business/accounting data in Morning.

RecommendationUse only a dedicated, least-privileged API key if possible, confirm the credential scope in Morning, and revoke or rotate the key if it is no longer needed.