warn
suspicious.insecure_tls_verification
- Location
- scripts/invoice.py:656
- Finding
- HTTPS certificate verification is disabled.
发票识别-发票查验-发票OCR(翔云开放平台)
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.insecure_tls_verification
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Someone with access to the local skill directory could read the API credentials and use the associated NetOCR account.
Why it was flagged
The skill requires a NetOCR key and secret and stores them persistently in the skill directory.
Skill content
首次使用必须配置凭据。凭据存储于本 Skill 目录下的 `config.json`。
Recommendation
Use a dedicated NetOCR key if possible, keep the skill directory private, and rotate the key if you suspect local exposure.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Invoice images, PDFs, and extracted financial details may be processed by a third-party service.
Why it was flagged
The skill explicitly sends user invoice images and API credentials to the external NetOCR/Xiangyun service for OCR and verification.
Skill content
用户图片及 API 凭据通过 HTTPS 发送至翔云(netocr.com)进行处理
Recommendation
Only use this skill for invoices you are allowed to send to netocr.com, and confirm the provider’s privacy and data-retention terms.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Manual installation could resolve to newer dependency versions than the author tested.
Why it was flagged
The dependency file uses lower-bound version ranges rather than pinned exact versions, and no install spec is provided.
Skill content
requests>=2.28.0 openpyxl>=3.1.0 Pillow>=9.0.0
Recommendation
Install dependencies in an isolated environment and consider pinning known-good versions for production use.