ClawHub

ADP Global Invoice Extraction · Free API

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only invoice extraction skill that clearly sends user-chosen documents to Laiye cloud APIs, but users should treat uploaded invoices as sensitive data.

Install only if you are comfortable sending selected invoices, receipts, or public file URLs to Laiye-operated cloud endpoints. Do not submit confidential, regulated, customer, employee, tax, or payment documents unless you are authorized to share them and have reviewed Laiye's data handling, retention, regional processing, and compliance terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly instructs users to send invoice and receipt files to a public third-party API, but it does not provide any privacy notice, retention policy, consent guidance, or warning that these documents can contain sensitive financial and personal data. Because invoices often include names, addresses, tax IDs, banking details, and purchase history, encouraging upload without clear data-handling disclosure creates a real confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to send full invoice files and receipts to third-party API endpoints without any clear privacy, retention, jurisdiction, or sensitive-data handling warning. Because invoices commonly contain financial, tax, billing, and personal information, this creates a real data exposure and compliance risk, especially in enterprise or cross-border contexts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to upload invoices and receipts, which commonly contain sensitive financial and personal data, to a third-party remote API without any meaningful privacy, retention, jurisdiction, or data-handling warning. This can lead users or downstream agents to exfiltrate confidential documents off-platform without informed consent or adequate controls.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal