SmartBill Invoicing
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is purpose-built for SmartBill invoicing and discloses its sensitive account access and invoice-creation powers, with dry-run and explicit final-issue controls.
Install only if you intend to let the agent work with your SmartBill account. Before creating final invoices, review the dry-run payload carefully, keep SmartBill credentials protected, and avoid enabling debug logs unless you are comfortable with invoice and customer details appearing in local run logs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could create real invoices in the user's SmartBill account.
The skill can perform a high-impact API action by issuing invoices, but the workflow frames final issuance as user-confirmed and separate from dry-run validation.
Issue final invoice after explicit user confirmation: - `python scripts/smartbill_cli.py create-invoice --input <invoice.json> --allow-final`
Always inspect the dry-run payload and only allow final invoice creation after confirming client, amounts, dates, and invoice series.
Anyone or any agent process with access to these environment variables can act through the configured SmartBill API credentials.
The skill requires SmartBill credentials and company identity information to call the SmartBill API on the user's behalf.
`SMARTBILL_USERNAME` - SmartBill login email; `SMARTBILL_TOKEN` - SmartBill API token; `SMARTBILL_COMPANY_VAT_CODE` - default CIF
Use a dedicated SmartBill API token if available, store it securely, avoid sharing logs or shells containing it, and rotate it if exposure is suspected.
Invoice/customer details could appear in terminal logs or agent run logs when debug mode is enabled.
Debug mode prints full request payloads, which can include invoice, client, and product details, to stderr; Authorization is redacted in the shown code.
if self.config.debug: ... log_entry["smartbill_request"]["body"] = json.loads(payload.decode("utf-8")) ... print(json.dumps(log_entry, ensure_ascii=False), file=sys.stderr)Keep debug mode off unless needed, and treat debug/run logs as sensitive business records.