ZUGFeRD Invoice Merger
v1.0.0Merge ZUGFeRD 2.1 compliant invoice PDF and time report into a single visible multi-page PDF/A-3b file with embedded XML for German B2B/Gov use.
⭐ 0· 261·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (ZUGFeRD invoice merger) match the code and required tools: Java (mustang.jar) and GhostScript are legitimately needed for extracting/re‑embedding ZUGFeRD XML and producing PDF/A‑3. No unrelated environment variables or credentials are requested. Minor note: the SKILL.md and scripts assume a macOS/homebrew layout (/opt/homebrew/opt/openjdk@21) and recommend brew; the skill has no OS restriction declared, so platform assumptions should be documented or adjusted.
Instruction Scope
SKILL.md and the two Python scripts only operate on user-supplied PDFs and local temporary/output paths. The runtime steps are explicit (extract XML, merge with gs, convert to PDF/A‑3, re‑embed XML with mustang). There are no instructions to read unrelated system files or to transmit data to remote endpoints. The scripts call external binaries (java, gs) with arguments; subprocess calls use argument lists (no shell interpolation).
Install Mechanism
No automated install spec is provided (instruction-only). The SKILL.md recommends manually downloading mustang.jar via curl from the official GitHub releases URL — a reasonable approach. Recommendation: verify the downloaded JAR (checksum/signature) because running arbitrary JARs carries risk. The manual curl direction writes into ~/.openclaw/tools/mustang which is a clear, confined location.
Credentials
The skill requests no credentials or secret environment variables. It does modify PATH locally for the subprocess environment to include the openjdk@21 bin path (expected for invoking java). No extraneous access to other configs or sensitive data is requested.
Persistence & Privilege
The skill is not force-included (always: false) and is user-invocable. It does create a workspace under the skill directory (temp and expected ~/.openclaw/tools paths) but does not modify other skills or system-wide agent settings. Autonomous invocation is enabled by default on the platform but is not combined with other concerning flags.
Assessment
This skill appears coherent with its stated purpose, but take these precautions before installing/using it: 1) Download mustang.jar only from the official MustangProject GitHub releases page and verify the checksum/signature if available — running an untrusted JAR can execute arbitrary code. 2) Ensure Java and GhostScript are installed from trusted package sources (homebrew or distro packages). 3) Be aware the SKILL.md uses macOS/homebrew paths; if you run on Linux/Windows you may need to adjust PATH and install commands. 4) The included sample XML files contain real‑looking contact/IBAN data — treat them as sample data; don't accidentally publish them. 5) Run the skill on test files first and validate outputs before submitting to B2B/Gov portals. 6) If you need higher assurance, review the mustang.jar release's checksum or build MustangProject from source.Like a lobster shell, security has layers — review code before you run it.
e-invoicingvk97d95yt9evx2n2bp4pb2xxq0x823msqeuropeanvk97d95yt9evx2n2bp4pb2xxq0x823msqgermanyvk97d95yt9evx2n2bp4pb2xxq0x823msqinvoicevk97d95yt9evx2n2bp4pb2xxq0x823msqlatestvk97d95yt9evx2n2bp4pb2xxq0x823msqpdfvk97d95yt9evx2n2bp4pb2xxq0x823msqxmlvk97d95yt9evx2n2bp4pb2xxq0x823msqzugferdvk97d95yt9evx2n2bp4pb2xxq0x823msq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.