Korean Invoice
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to generate invoices as advertised, but crafted client or invoice data could make it write files outside its output folder or run scripts in the local browser during PDF generation.
Before installing, replace the bundled sample business information, keep the data directory private, and avoid using untrusted client names, item names, or notes until the skill sanitizes filenames and HTML fields. Also confirm that generated tax invoices meet your legal/compliance needs before sending them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or malicious client name could cause generated HTML/PDF files to be written outside the skill's output folder, potentially overwriting files the user did not intend to touch.
The saved client name is used directly in the output filename. If a client name contains path separators or '..' segments, path.join can resolve outside the intended output directory.
const filename = `${issueDate}-견적서-${client.name}`; const htmlPath = path.join(OUTPUT_DIR, `${filename}.html`); fs.writeFileSync(htmlPath, html, 'utf-8');Sanitize client names before using them in paths, reject path separators and '..', and verify the resolved path stays under the output directory before writing.
If invoice fields contain HTML or script content, that content could execute in the local browser during PDF generation and potentially access or transmit document contents.
User-controlled or stored invoice fields are inserted into HTML without escaping, then the generated file is opened in a browser for PDF creation.
<td>${item.name}</td> ... .replace(/{{notes}}/g, options.notes || ''); ... await page.goto(`file://${htmlPath}`, { waitUntil: 'networkidle0' });HTML-escape all template values, sanitize stored client/item data, and consider disabling JavaScript in Puppeteer during PDF rendering.
Business identity and customer data will remain in the skill directory and may be reused in later invoices.
The skill persistently stores supplier and client business details, including contact and bank-account-style data, for reuse in future documents.
거래처 데이터는 `data/clients.json`에 저장됩니다. ... 내 사업자 정보는 `data/my-info.json`에 저장 ... "bankAccount": "우리은행 1002-123-456789"
Review and replace the sample data before use, protect the data directory, and avoid storing unnecessary sensitive fields.
Installing dependencies may pull code from npm before the skill can fully work.
The skill documents an npm install step even though the registry says there is no install spec. The dependency is purpose-aligned for Puppeteer PDF generation, but users should notice the under-declared install requirement.
cd /Users/mupeng/.openclaw/workspace/skills/korean-invoice npm install
Review package.json/package-lock.json and install dependencies only from a trusted environment.