发票查验
ReviewAudited by ClawScan on May 12, 2026.
Overview
This invoice-checking skill is generally coherent and purpose-aligned, but it sends invoice data/files to an external service, requires an API key, and documents a user-confirmed remote update command.
Install only if you trust ClawMate to process your invoice data. Keep the CLAWMATE_API_KEY secret, confirm each validation or batch list before sending, avoid broad private directories, and be cautious with the manual curl/unzip update command.
Publisher note
查验发票依赖我们的服务,为了高效快速获得查验结果,所以需要调用服务接口
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your ClawMate account quota or billing entitlement when checking invoices.
The skill requires a provider API key, which is expected for the stated hosted invoice validation service and is explicitly disclosed.
API Key 从环境变量 `CLAWMATE_API_KEY` 读取。
Use a dedicated API key if available, keep it out of chat, and revoke or rotate it if you stop using the skill.
Invoice data may include business names, tax IDs, amounts, and bank account details, and these will be processed by the external ClawMate service.
Invoice fields or uploaded invoice files are sent to the disclosed external validation API, which is central to the skill's purpose.
地址: `POST https://www.clawmate.net/server/test/Api/InvoiceValidate`
Only validate invoices you are allowed to share with this service, and avoid pointing batch mode at unrelated private directories.
A batch run could validate and upload several invoices and consume service balance or quota.
The skill supports batch validation with parallel API calls, which is purpose-aligned but can consume API quota and process multiple files at once.
发票超过 5 张 | 分批执行,每批 5 张并行
Review the displayed batch list before confirming, especially when using a large or broad directory.
If you run the update command, the skill code can be replaced by whatever is served from that URL.
The documented update flow downloads a ZIP from the provider and overwrites the installed skill directory; it is disclosed and says to run only after user confirmation, but no checksum or signature is shown.
curl -o /tmp/cm-invoice-validate.zip https://www.clawmate.net/server/test/cm-invoice-validate.zip mkdir -p ~/.agents/skills/cm-invoice-validate unzip -o /tmp/cm-invoice-validate.zip -d ~/.agents/skills/cm-invoice-validate/
Only run the update command if you trust the publisher and source URL; prefer a signed or registry-mediated update path when available.