发票识别-发票查验-发票OCR(翔云开放平台)
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: ocr-invoice-xiangyun Version: 1.0.0 The skill bundle is a legitimate implementation for invoice OCR and verification using the Xiangyun (netocr.com) API. The Python scripts (invoice.py, export_invoice.py) are well-structured, align with the stated purpose in SKILL.md, and only communicate with the official API endpoints via HTTPS. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone with access to the local skill directory could read the API credentials and use the associated NetOCR account.
The skill requires a NetOCR key and secret and stores them persistently in the skill directory.
首次使用必须配置凭据。凭据存储于本 Skill 目录下的 `config.json`。
Use a dedicated NetOCR key if possible, keep the skill directory private, and rotate the key if you suspect local exposure.
Invoice images, PDFs, and extracted financial details may be processed by a third-party service.
The skill explicitly sends user invoice images and API credentials to the external NetOCR/Xiangyun service for OCR and verification.
用户图片及 API 凭据通过 HTTPS 发送至翔云(netocr.com)进行处理
Only use this skill for invoices you are allowed to send to netocr.com, and confirm the provider’s privacy and data-retention terms.
Manual installation could resolve to newer dependency versions than the author tested.
The dependency file uses lower-bound version ranges rather than pinned exact versions, and no install spec is provided.
requests>=2.28.0 openpyxl>=3.1.0 Pillow>=9.0.0
Install dependencies in an isolated environment and consider pinning known-good versions for production use.