Invoice
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: netsnek-invoice Version: 1.1.0 The skill's `SKILL.md` instructions create a prompt injection vulnerability that could lead to arbitrary command execution (RCE). Specifically, the instruction for the AI agent to 'RUN: `./scripts/get-invoices.sh RE 2026 6007`' where `6007` is derived from user input (e.g., '/rechnung 6007') means a malicious user could inject shell metacharacters (e.g., '6007; rm -rf /') into the `NUMBER` argument. If the OpenClaw agent concatenates this user input directly into the shell command string before execution, it would result in RCE. While the individual shell scripts are generally well-written and use arguments safely within quoted strings (e.g., for `curl` URLs), the vulnerability lies in the agent's interpretation and execution of the `RUN:` instruction with user-controlled parameters.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After you approve an upload, the skill can write invoice files into the configured GitHub repository.
The skill performs an authenticated GitHub API write to create or update invoice JSON files. This is expected for the stated purpose, but it is still a real account mutation.
RESULT=$(curl -s -X PUT ... "https://api.github.com/repos/$REPO/contents/$FILE_PATH" ... -d "$PAYLOAD")
Use a dedicated private repository and review the preview carefully before approving an upload.
A broadly scoped GitHub token could allow more repository writes than intended if misconfigured.
The skill requires a GitHub token with repository content write access. This is necessary for uploading invoices, but the credential is high-impact if over-scoped.
"GITHUB_TOKEN", "description": "GitHub Personal Access Token with contents:write permissions"
Use a fine-grained PAT limited to the single invoice repository with only the required Contents read/write permission.
Invoice/customer details and bank information may remain stored in GitHub for long periods.
The skill persists sensitive business and financial information in a GitHub repository and may retrieve it later for invoice workflows.
The target repository **must be private**. It stores invoice data including: Company names and addresses, VAT IDs and bank details (IBAN, BIC), Pricing and line item details
Keep the repository private, limit collaborator access, and ensure retention policies match your legal and privacy obligations.
If you approve an incorrect invoice, repository automation may generate and send the wrong document.
Uploading a JSON invoice may trigger downstream automation outside the skill itself. This is disclosed and purpose-aligned, but a mistaken upload could propagate to generated PDFs or email delivery.
GitHub Action builds the PDF and sends it via email
Confirm recipient, amounts, invoice number, and repository automation behavior before approving the upload.