TestSkills
AdvisoryAudited by Static analysis on May 12, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could send reminders or create payment agreements from an ambiguous or mistaken request, affecting customers and financial records.
These endpoints can send customer-facing collection messages and create financial payment agreements. The provided instructions do not visibly require a final user confirmation, recipient review, batch limit, or rollback step before these POST actions.
`POST /invoices/sendPaymentReminder` ... `communicationChannels[]` ... `EMAIL, WHATSAPP, CALLS, SMS` ... `POST /payment-agreements` — required: `companyRelationshipId`, `description`, `totalAmount`, `currency`, `schedules[]`
Require explicit confirmation before every mutating action, showing recipients, channels, invoice IDs, amounts, due dates, and whether the action is reversible.
A stored 5-year token could provide persistent access to sensitive financial and customer data if mishandled or reused unexpectedly.
The skill handles user passwords and stores a long-lived bearer token for a financial collections platform, but the artifacts do not specify secure token storage, scoping, or retention safeguards.
Ask email + password → `POST /auth/login` ... On success, store token ... Token header: `Authorization: Bearer ${TOKEN}` (JWT, 5-year validity)Use a secure secret store, declare the credential requirement in metadata, prefer shorter-lived or revocable tokens, and clearly tell users how to log out, revoke, and audit access.
Users may not realize up front that they must configure the API destination and provide Fibek login credentials.
The SKILL.md requires a base URL, while the registry metadata says there are no required environment variables or primary credential. This under-declares setup and authentication expectations before installation.
Environment variable required: `FIBEK_BASE_URL`
Update metadata to declare FIBEK_BASE_URL and the user-login credential flow, and instruct users to verify the official Fibek API URL before entering credentials.