ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ntriq X402 Invoice Extract Batch

v1.0.0

Batch extract structured data from up to 500 invoices/receipts. Flat $9.00 USDC via x402.

0· 48·1 current·1 all-time
byntriq@ntriq-gh
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill advertises local inference on a Mac Mini but the SKILL.md instructs the agent to POST image URLs to https://x402.ntriq.co.kr/invoice-extract-batch, a remote endpoint — these claims conflict. The payment flow (flat $9 USDC via x402) is central to the service, yet no environment variables or credentials are declared for providing the required X-PAYMENT header. Requiring a blockchain payment or payment header would be proportionate for this purpose, but the skill fails to declare how that credential is obtained or stored.
!
Instruction Scope
The instructions direct the agent to transmit user-provided invoice/receipt image URLs (potentially sensitive financial data) to an external endpoint and to include an X-PAYMENT header. The SKILL.md does not specify where the X-PAYMENT value should come from, how to obtain/authorize it, or any privacy/retention guarantees. There is no guidance on how to handle uploading images (the example uses URLs), error handling, or user consent for sending sensitive documents off-platform.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not add binaries or write files to disk during install — low install-time risk.
!
Credentials
No environment variables or primary credential are declared, yet the API requires an X-PAYMENT header for payment. If the payment header maps to a wallet key or token, that is a secret the skill should have declared and justified. The absence of declared credentials is a gap: the agent (or user) must supply a payment token somehow, but the SKILL.md doesn't explain the mechanism, expected format, or whether private keys/wallet access is required.
Persistence & Privilege
The skill does not request always:true and uses default invocation settings. There is no install-time behavior that would modify other skills or system-wide settings. Autonomous invocation is permitted but is the platform default and not an additional risk here by itself.
Scan Findings in Context
[no_regex_findings] expected: The static scanner found no code or regex hits because this is an instruction-only skill (only SKILL.md). That absence is expected and does not imply the skill is safe; the runtime instructions are the main surface to review.
What to consider before installing
This skill asks you to send invoice images to an external API and to include an X-PAYMENT header for a $9 USDC charge, but it does not say how to obtain or store that payment token and even claims '100% local inference' while pointing to a remote endpoint — those are red flags. Before installing or using it: 1) Ask the publisher to explain exactly how X-PAYMENT is generated, whether it requires wallet private keys, and whether you must provide any secrets. 2) Verify the vendor (x402.ntriq.co.kr) and read their privacy/retention policy for uploaded invoices. 3) Do not provide private keys or wallet seed phrases; prefer a pre-issued payment token or an audited on-chain payment flow. 4) If you will send sensitive invoices, confirm whether images are uploaded to the vendor or processed locally and whether data is stored. If the publisher cannot clearly document the payment flow and data handling, treat the skill as risky and avoid using it.

Like a lobster shell, security has layers — review code before you run it.

latestvk974dv3er27p4et26bbdqvf62584t6k9
48downloads
0stars
1versions
Updated 6d ago
v1.0.0
MIT-0
ntriq@ntriq-gh
latest
Download

Invoice Extract Batch (x402)

Extract structured fields (vendor, amounts, line items, dates) from up to 500 invoice or receipt images in a single call. Flat $9.00 USDC. 100% local inference on Mac Mini.

How to Call

POST https://x402.ntriq.co.kr/invoice-extract-batch
Content-Type: application/json
X-PAYMENT: <x402-payment-header>

{
  "images": [
    "https://example.com/invoice1.jpg",
    "https://example.com/receipt2.jpg"
  ]
}

Parameters

ParameterTypeRequiredDescription
imagesarrayInvoice/receipt image URLs (max 500)
languagestringOutput language (default: en)

Example Response

{
  "status": "ok",
  "count": 2,
  "results": [
    {
      "image_url": "https://example.com/invoice1.jpg",
      "status": "ok",
      "invoice": {
        "vendor_name": "Acme Corp",
        "invoice_number": "INV-2026-0042",
        "invoice_date": "2026-04-01",
        "total": 1250.00,
        "currency": "USD",
        "line_items": [{"description": "Consulting", "quantity": 10, "unit_price": 125, "amount": 1250}]
      }
    }
  ]
}

Payment

  • Price: $9.00 USDC flat (up to 500 invoices)
  • Network: Base mainnet (EIP-3009 gasless)
  • Protocol: x402
curl https://x402.ntriq.co.kr/services

Comments

Loading comments...