Skillv1.0.0

ClawScan security

vietnam-invoice · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 7, 2026, 1:16 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement Vietnam invoice verification as described, but there are important inconsistencies and privacy risks (undeclared required credentials, image uploads to third parties, and heavy runtime dependencies) that warrant caution.
Guidance: This skill implements the declared task, but be aware of several risks before installing/using it: - Manifest mismatch: the registry lists no required env vars, but the SKILL.md and code require VL_API_KEY, CJY_USER, and CJY_PASS. Expect to set sensitive credentials for operation. - Data leakage: the skill uploads full invoice images (base64) to an external VL/model endpoint and sends captcha images to a third‑party captcha solver (ChaoJiYing). If invoices contain PII or confidential tax numbers, those will be transmitted to those services. Only use with data you are comfortable sharing with those providers. - Credential handling: CJY uses account+password (not an API token); avoid reusing high-privilege credentials. Prefer accounts with minimal privileges and rotate credentials if exposed. - Environment/setup: the skill requires Playwright and an msedge browser install, plus PyMuPDF/Pillow — run in an isolated environment (container/VM) if possible. - Trust & provenance: the skill's source/homepage is unknown. If you will process real invoices, request provenance from the author or prefer an officially supported tool. Review the code yourself (or have a trusted reviewer) before supplying credentials. What would increase confidence: author/source verification, corrected registry metadata declaring required env vars, and explicit user-facing warnings that images and data are sent to the VL provider and ChaoJiYing (with option to disable external services or use local OCR).

Review Dimensions

Purpose & Capability: noteThe code (verify_vl.py + pdf_to_images.py) matches the stated purpose: it extracts invoice fields (via a VL model) and queries the Vietnam tax API. Requiring a VL API key and a captcha-solving account (CJY_USER/CJY_PASS) is coherent with that functionality. However, the skill registry metadata declares no required environment variables while the SKILL.md and code clearly require VL_API_KEY, CJY_USER, and CJY_PASS — this manifest mismatch is an incoherence.
Instruction Scope: concernRuntime instructions and code send full invoice images (base64 data URLs) to an external VL/model service and send captcha images to a third‑party captcha solving service (upload.chaojiying.net). The script also contacts the Vietnam tax endpoint (hoadondientu.gdt.gov.vn:30000). These operations may exfiltrate sensitive invoice data (including personal/company tax IDs) to external providers. The SKILL.md does instruct the user to set env vars, but does not explicitly warn that invoice images will be uploaded to these external services.
Install Mechanism: okThere is no package download or remote installer; dependencies are installed via pip and Playwright (msedge). requirements.txt lists standard PyPI packages. No arbitrary remote code downloads or obscure URLs are present in the install process.
Credentials: concernThe code requires credentials named CJY_USER/CJY_PASS (captcha solver account) and VL_API_KEY (model API key), which are sensitive and are used to send image data to external services. While these credentials are functionally required, the registry metadata failed to declare them. Requiring a username/password (CJY) and an API key is proportional to the feature but increases privacy risk because invoice images and captcha images are transmitted off‑site.
Persistence & Privilege: okThe skill does not request persistent/always-on status and does not modify system-wide settings. It is user-invocable and runs only when invoked.