TestSkills
SuspiciousAudited by ClawScan on May 12, 2026.
Overview
This Fibek integration is coherent, but it needs review because it stores long-lived financial-account access and can perform customer-facing collection actions without visible confirmation safeguards.
Install only if you trust the publisher and have confirmed FIBEK_BASE_URL points to the legitimate Fibek API. Before allowing the skill to send reminders, account statements, or create payment agreements, require the agent to show the exact clients, invoices, channels, amounts, and dates and ask for explicit confirmation. Treat the stored 5-year token like a password and know how to revoke or log out.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could send reminders or create payment agreements from an ambiguous or mistaken request, affecting customers and financial records.
These endpoints can send customer-facing collection messages and create financial payment agreements. The provided instructions do not visibly require a final user confirmation, recipient review, batch limit, or rollback step before these POST actions.
`POST /invoices/sendPaymentReminder` ... `communicationChannels[]` ... `EMAIL, WHATSAPP, CALLS, SMS` ... `POST /payment-agreements` — required: `companyRelationshipId`, `description`, `totalAmount`, `currency`, `schedules[]`
Require explicit confirmation before every mutating action, showing recipients, channels, invoice IDs, amounts, due dates, and whether the action is reversible.
A stored 5-year token could provide persistent access to sensitive financial and customer data if mishandled or reused unexpectedly.
The skill handles user passwords and stores a long-lived bearer token for a financial collections platform, but the artifacts do not specify secure token storage, scoping, or retention safeguards.
Ask email + password → `POST /auth/login` ... On success, store token ... Token header: `Authorization: Bearer ${TOKEN}` (JWT, 5-year validity)Use a secure secret store, declare the credential requirement in metadata, prefer shorter-lived or revocable tokens, and clearly tell users how to log out, revoke, and audit access.
Users may not realize up front that they must configure the API destination and provide Fibek login credentials.
The SKILL.md requires a base URL, while the registry metadata says there are no required environment variables or primary credential. This under-declares setup and authentication expectations before installation.
Environment variable required: `FIBEK_BASE_URL`
Update metadata to declare FIBEK_BASE_URL and the user-login credential flow, and instruct users to verify the official Fibek API URL before entering credentials.