Invoice Guard

The skill's stated purpose (invoice dedupe, tax verification, Feishu report generation) aligns with the included code, but the runtime instructions and manifest omit required external binaries/credentials and reference network endpoints (tax.gov scraping, Feishu APIs, third‑party OCR CLI) — an incoherence that warrants caution before installation.

This skill mostly does what it says (invoice OCR → dedupe → optional tax verification → Feishu report), but the manifest omits crucial runtime dependencies and credentials. Before installing or supplying secrets: 1) Ask the author to declare required binaries and environment variables (miaoda‑studio‑cli, Feishu app tokens, tax API credentials). 2) Inspect the Python scripts for any outbound network calls (HTTP/HTTPS) and confirm destination hosts and endpoints (including whether data is sent to 124.220.60.10). 3) Do not provide production Feishu or tax credentials until you verify where data is sent and implement minimal-scope credentials. 4) Test in an isolated environment with non-sensitive sample invoices. 5) If captcha/website scraping is used for tax.gov, prefer official API/enterprise integration rather than automated scraping of public pages. If the author cannot clearly document/justify the undeclared dependencies and endpoints, treat the skill as high-risk and avoid using it with real sensitive data.