Maverick Smartbill Invoicing
PassAudited by ClawScan on May 13, 2026.
Overview
This appears to be a coherent SmartBill invoicing helper, but it can use SmartBill credentials and issue real invoices, so final actions need careful user confirmation.
Install only if you trust the publisher and intend to let the agent work with your SmartBill account. Always inspect the dry-run output before approving final invoice creation, keep debug logging off unless troubleshooting, and protect the SmartBill token like a password.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could create real invoices in the user's SmartBill account.
Creating a final invoice is a high-impact business action, but the skill clearly discloses it and requires explicit confirmation plus an --allow-final flag.
Issue final invoice after explicit user confirmation: - `python scripts/smartbill_cli.py create-invoice --input <invoice.json> --allow-final`
Review the dry-run payload first and only approve --allow-final when the invoice details are correct.
The skill can act through the user's SmartBill account using the provided token.
The skill requires SmartBill account credentials and company identity information, which is expected for API invoicing but grants account-level authority.
- `MAVERICK_SMARTBILL_USERNAME` - SmartBill login email - `MAVERICK_SMARTBILL_TOKEN` - SmartBill API token - `MAVERICK_SMARTBILL_COMPANY_VAT_CODE` - default CIF
Use a token with the minimum necessary SmartBill permissions if available, keep it out of shared logs, and rotate it if exposure is suspected.
Invoice and client details could appear in terminal logs or captured run logs when debug mode is enabled.
Debug output can include invoice payloads and SmartBill responses, which may contain client and business information, although the behavior is disclosed and optional.
Pass `--debug` (or set `MAVERICK_SMARTBILL_DEBUG=1`) to print full request/response payloads to stderr.
Leave debug logging off unless needed, and avoid sharing logs that contain invoice payloads or SmartBill responses.
Users have less external context for deciding whether to trust the publisher with SmartBill account access.
The skill source and homepage are not provided, which limits provenance verification for a tool that handles financial API credentials.
Source: unknown Homepage: none
Review the included script and publisher identity before installing, especially before adding real SmartBill credentials.