Invoice
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After you approve an upload, the skill can write invoice files into the configured GitHub repository.
The skill performs an authenticated GitHub API write to create or update invoice JSON files. This is expected for the stated purpose, but it is still a real account mutation.
RESULT=$(curl -s -X PUT ... "https://api.github.com/repos/$REPO/contents/$FILE_PATH" ... -d "$PAYLOAD")
Use a dedicated private repository and review the preview carefully before approving an upload.
A broadly scoped GitHub token could allow more repository writes than intended if misconfigured.
The skill requires a GitHub token with repository content write access. This is necessary for uploading invoices, but the credential is high-impact if over-scoped.
"GITHUB_TOKEN", "description": "GitHub Personal Access Token with contents:write permissions"
Use a fine-grained PAT limited to the single invoice repository with only the required Contents read/write permission.
Invoice/customer details and bank information may remain stored in GitHub for long periods.
The skill persists sensitive business and financial information in a GitHub repository and may retrieve it later for invoice workflows.
The target repository **must be private**. It stores invoice data including: Company names and addresses, VAT IDs and bank details (IBAN, BIC), Pricing and line item details
Keep the repository private, limit collaborator access, and ensure retention policies match your legal and privacy obligations.
If you approve an incorrect invoice, repository automation may generate and send the wrong document.
Uploading a JSON invoice may trigger downstream automation outside the skill itself. This is disclosed and purpose-aligned, but a mistaken upload could propagate to generated PDFs or email delivery.
GitHub Action builds the PDF and sends it via email
Confirm recipient, amounts, invoice number, and repository automation behavior before approving the upload.