Korean Invoice

The skill is classified as suspicious due to significant vulnerabilities related to input sanitization and potential path traversal. The `scripts/generate.js` script directly inserts user-controlled data (e.g., client names, item descriptions, notes) into HTML templates without proper escaping. This creates an HTML Injection/Cross-Site Scripting (XSS) vulnerability, where malicious HTML/JavaScript injected into these fields could execute within the `puppeteer-core` controlled browser (connecting to `http://localhost:18800`). Such an exploit could potentially lead to local file access or network requests from the browser's context. Additionally, the construction of output filenames in `scripts/generate.js` using user-controlled `client.name` (which is not sanitized in `scripts/manage-clients.js`) could allow for path traversal, enabling an attacker to write files outside the intended `output/` directory. While there's no clear evidence of intentional malice, these vulnerabilities pose a significant risk.