Skillv1.1.0

ClawScan security

OPC Invoice Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 16, 2026, 5:04 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill appears internally consistent with an accounts-receivable/invoicing purpose — it runs included Python scripts against a local invoices archive, uses only stdlib, requests no credentials, and has no install step or external endpoints.
Guidance: This skill appears coherent and implements invoicing workflows using the two included Python scripts. Before installing, review these practical points: (1) confirm where the skill will store files — it reads/writes invoices/, INDEX.json and .numbering-config.json in the working directory; avoid pointing it at any system or sensitive directories; (2) inspect the two Python scripts yourself (they use only the standard library and appear to perform local file/JSON processing) and verify you’re comfortable with them executing; (3) the registry source/homepage are unknown — consider obtaining the skill from a verified repository or author if possible; (4) ensure the runtime environment has Python 3.8+ and that running untrusted scripts in your agent environment matches your security policy; (5) because the skill can run scripts, consider limiting autonomous invocation or reviewing agent sandboxing if you are concerned about code execution. Overall the behaviour is proportional to its invoicing purpose.

Purpose & Capability: okName/description match what the skill implements: invoice generation, aging, collections and basic reconciliation. The files and declared behavior (templates, client/profile JSON, numbering and tracker scripts) are appropriate and proportional to that purpose.
Instruction Scope: noteSKILL.md instructs the agent to run the included Python scripts (invoice_tracker.py and invoice_numbering.py) and to read/write files under an invoices/ and optional contracts/ archive. This is coherent with invoicing functionality but means the agent will read and update local invoice metadata and write INDEX.json and .numbering-config.json in the invoices directory. No instructions reference unrelated system paths or external endpoints.
Install Mechanism: okNo install specification. The skill is instruction+script only and relies on Python 3.8+ stdlib. No downloads or package installs are requested.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths outside its project. The code operates on local files (invoices/, contracts/) which is expected for this functionality.
Persistence & Privilege: noteThe skill is not always-enabled and does not request elevated privileges. It will create/update local artifacts (INDEX.json, .numbering-config.json and invoice metadata) in the invoices directory when run — normal for an invoicing tool but worth noting because those files are persisted to disk.