ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fakturownia CLI

v0.6.5

Fakturownia CLI bundle: shared guidance, auth, accounts, departments, issuers, users, categories, clients, payments, bank accounts, products, price lists, in...

0· 18·0 current·0 all-time
by@sixers
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name/description match the content: it documents and orchestrates the fakturownia CLI. The manifest and SKILL.md both declare the required binary (fakturownia). Subskills and recipes align with invoicing, accounts, auth, schema discovery, and diagnostics — all consistent with an API CLI bundle.
Instruction Scope
Runtime instructions are concrete CLI commands for the fakturownia tool and workflow recipes (create invoice, send to KSeF, add attachments, etc.). They instruct saving and verifying credentials via the CLI (e.g., auth login, auth status) and running smoke tests. The instructions do not direct the agent to read unrelated system files or exfiltrate data to unexpected endpoints.
Install Mechanism
The bundle is instruction-only (no install spec), but the root SKILL.md explicitly suggests bootstrap installation via curl -fsSL https://raw.githubusercontent.com/sixers/fakturownia-cli/master/install.sh | bash. The URL is a GitHub raw content host (a known release host), which reduces but does not eliminate risk: piping remote scripts to a shell executes arbitrary code fetched at install time. This is a legitimate convenience for CLI bootstrap but worth manual review before running.
Credentials
The instructions reference environment variables such as FAKTUROWNIA_PROFILE, FAKTUROWNIA_URL, and FAKTUROWNIA_API_TOKEN. Those are appropriate and proportional for a CLI that needs to authenticate to the Fakturownia API. The manifest does not require unrelated credentials or secrets.
Persistence & Privilege
The skill is not always-included (always: false) and does not request elevated platform privileges. It describes storing tokens/profiles via the CLI (normal for an auth helper). Autonomous invocation is allowed (default) but not combined with suspicious credential requests.
Assessment
This bundle is a documentation-driven skill for operating the fakturownia CLI and appears internally consistent. Before installing or running it: 1) If you follow the bootstrap, review the install script at https://raw.githubusercontent.com/sixers/fakturownia-cli/master/install.sh rather than piping blindly to bash; consider installing the binary from a package manager or verified release instead. 2) Only provide FAKTUROWNIA_API_TOKEN (or run auth commands) if you trust the CLI and repository; the CLI may persist tokens to your machine/keychain. 3) Avoid using --raw or other flags that can print secrets unless necessary. 4) If you need higher assurance, manually inspect the upstream repository (manifest repository URL is in manifest.json) and the install script before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c5n4yjeg8brrynmb6t74r9s8519s2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments