Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
unified-invoice
v1.1.0통합 견적서/세금계산서 생성기. 한국형 견적서(사업자등록번호, 부가세) + 프리랜서 인보이스(다국어, VAT). 거래처/품목 DB, PDF 출력, 자동 계산.
⭐ 0· 631·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Korean invoices, freelance invoices, templates, client/item DB) align with included scripts, templates, and data files. package.json dependency (puppeteer-core) is appropriate for HTML→PDF conversion. CLI commands in SKILL.md correspond to scripts/generate.js, manage-clients.js, and manage-items.js.
Instruction Scope
Runtime instructions and code operate on local files (data/*.json, templates/, output/) and create an events JSON. generate.js uses puppeteer.connect to a local browser (http://localhost:18800) for PDF conversion. freelance-run.sh writes invoices and an event file under a workspace directory. These behaviors are within expected scope but the skill will write personal/business info (data/my-info.json) and invoice files to disk — review those files if they contain sensitive bank/account info.
Install Mechanism
There is no formal install spec in the registry metadata, but SKILL.md instructs running npm install; package.json declares puppeteer-core which is a standard dependency. This is reasonable, but npm install will fetch packages from the registry — run it in a trusted environment. No downloads from arbitrary URLs or extract steps are present.
Credentials
Registry lists no required env vars, but scripts accept/use WORKSPACE and EVENTS_DIR (freelance-run.sh) and the code expects a local browser at port 18800. Those are reasonable defaults but are not declared as required; users should be aware the skill will attempt to connect to localhost:18800 and will create files under $HOME/.openclaw/workspace (or $WORKSPACE). The skill stores bankAccount and other personal/business fields in data/my-info.json — sensitive data remains local but will be written to disk in the skill/workspace directories.
Persistence & Privilege
Skill does not request permanent platform privileges (always:false). It only writes files under its own directories and a workspace path, and it does not modify other skills or global agent configuration. Autonomous invocation is permitted by default but nothing in the code attempts to self-enable or persist beyond local files.
Assessment
This skill appears coherent and implements a local invoice generator. Before installing: 1) Review data/my-info.json and remove any sensitive bank/account identifiers you don't want stored. 2) npm install will fetch puppeteer-core — run it in a controlled environment and ensure a compatible OpenClaw browser is running at http://localhost:18800 (SKILL.md notes this). 3) Note the scripts will create files under the skill directory and a workspace path (default $HOME/.openclaw/workspace) and write event JSON files; if you have policy concerns about file locations, set WORKSPACE/EVENTS_DIR explicitly. 4) If you require network isolation, ensure the local browser connection is permitted only to localhost. 5) If you want extra assurance, run the scripts in a sandbox and inspect their output files; there are no hidden remote endpoints or declared secret/env requirements beyond optional WORKSPACE/EVENTS_DIR and the local browser port.Like a lobster shell, security has layers — review code before you run it.
latestvk975q6ad8zfd20rrdmchqkhsqs81c1k6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.