ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Invoicy

v1.0.0

Generate, download, and email professional invoices with GST/IGST support and flexible payment terms.

0· 28·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and openapi.json describe a complete invoice service (invoice lifecycle, SMTP email sending, storage, GST handling). However the skill is instruction-only with no implementation, no server/base URL in the OpenAPI, and no install or required credentials. A consumer cannot actually perform the claimed operations from this package alone; that mismatch between claimed capability and what is provided is a coherence concern.
Instruction Scope
The instructions are narrowly scoped to API endpoints and example payloads and do not instruct the agent to read local files, environment variables, or unrelated system state. They do, however, include request fields for sensitive data (bank account, IFSC, UPI, SMTP credentials) which would be supplied as API/body parameters if a backend existed.
Install Mechanism
No install spec or code is provided (instruction-only). This is low-risk from an installation perspective, but it also explains why the skill cannot operate on its own.
Credentials
The skill requests no environment variables or credentials. That is proportionate for a documentation/spec-only asset. However, the examples expect sensitive data to be included in requests (bank account, PAN, GSTIN, SMTP user/pass). Because there is no target server specified, supplying such secrets would be risky — there is no clear authority or endpoint to receive them.
Persistence & Privilege
The skill does not request persistent or elevated privileges and is not always-enabled. There is no evidence it modifies other skills or system settings.
What to consider before installing
This package appears to be documentation/OpenAPI for an invoice API rather than a working connector. Before installing or using it: (1) do not provide real bank, PAN, GSTIN, or SMTP credentials to this skill — there is no server URL or trusted backend specified; (2) ask the publisher for the API base URL and hosting details and verify the HTTPS endpoint and privacy policy; (3) if you need an executable connector, prefer a skill that includes a clear server address or code and requests only the minimum necessary credentials; (4) treat this as a spec or template only, not a drop-in service — avoid sending secrets into the agent until you confirm where they will be stored/transmitted.

Like a lobster shell, security has layers — review code before you run it.

latestvk971vq8f4tgjmkb4pva9esnc2n842v1s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments