Honeybook

v0.1.10

This skill should be used when the user asks about HoneyBook client-portal data. Triggers on phrases like "check HoneyBook", "sign contract", "pay invoice",...

⭐ 0· 130·0 current·0 all-time

by@chrischall

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for chrischall/honeybook.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Honeybook" (chrischall/honeybook) from ClawHub.
Skill page: https://clawhub.ai/chrischall/honeybook
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install honeybook

ClawHub CLI

Package manager switcher

npx clawhub@latest install honeybook

Security Scan

Capability signals

CryptoCan make purchases

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The skill's stated purpose (viewing/signing/paying HoneyBook portal items) is plausible for the listed tools, but the SKILL.md references a persistent session cache at ~/.honeybook-mcp/sessions.json even though the skill metadata declared no required config paths. Requesting no credentials is plausible if using magic links, but the persistent storage of session tokens should have been declared and justified.

Instruction Scope

The instructions say the agent 'captures a session from a vendor magic-link URL' but do not specify how that capture happens (user paste only, reading clipboard, fetching email, or scripting a browser). That vagueness could let the agent attempt broad actions to obtain tokens. The SKILL.md also directs writing session state to the user's home directory and performing write actions (sign_contract, pay_invoice) that require explicit confirmation but otherwise could enable transactions.

✓

Install Mechanism

This is an instruction-only skill with no install spec or code files, so there is no installer risk or arbitrary downloads.

Credentials

No environment variables or credentials are declared, which is consistent with using magic links, but the skill claims to list payment methods and store sessions (sensitive data) without declaring or explaining storage/encryption. The absence of declared config paths contradicts the SKILL.md reference to a specific sessions.json path.

Persistence & Privilege

The skill persists session tokens in ~/.honeybook-mcp/sessions.json (mode 0600) per SKILL.md, which is a lasting, sensitive artifact. Although always:false and autonomous invocation are normal, persistent session storage increases the blast radius if the agent or skill is compromised and the path was not declared up front.

What to consider before installing

This skill appears to implement HoneyBook portal operations but has important gaps and ambiguities. Before installing or using it: (1) do not paste magic-link URLs (they contain access tokens) into an agent you don't fully trust; (2) ask the skill author to declare the config path(s) and to explain how sessions.json is stored and protected (encryption at rest, TTL for tokens, exact contents); (3) insist that write operations (signing, paying) require an explicit, human-confirmed step and that the skill return deep links instead of auto-submitting payments; (4) get clarity on how the agent 'captures' magic links (it should require the user to paste the link manually and never try to read email/clipboard without explicit permission); and (5) consider rejecting the skill or using it only in a tightly controlled environment until the author fixes the metadata (declare config paths) and documents safety/privacy controls. If the author provides those clarifications and limits persistence of sensitive tokens, reassess — otherwise treat the skill with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk974z6sgvmanx034mkvrt3xre585aerc

130downloads

0stars

7versions

Updated 5d ago

v0.1.10

MIT-0

honeybook-mcp

MCP server for HoneyBook's client portal — 8 tools for viewing contracts and invoices across multiple wedding vendors, with magic-link session capture and deep-link fallback for signing and paying.

Tools

use_magic_link — Capture a session from a vendor magic-link URL
list_active_sessions — Show currently active portal sessions
list_workspace_files — All files one vendor has shared (filter by type)
get_workspace_file — Full detail for one file
get_workspace — Workspace detail + status flags
list_payment_methods — Saved payment methods
sign_contract — Deep link to sign in portal (requires confirm:true)
pay_invoice — Deep link to pay in portal (requires confirm:true)

Workflows

First time → user pastes magic-link URL from vendor email → use_magic_link → session captured
"What contracts haven't I signed?" → list_workspace_files with file_type=agreement, filter by is_file_accepted=false
"Summarize my HB status with Silk Veil" → get_workspace (status flags) + list_workspace_files
"Send me a link to sign the photographer's contract" → list_workspace_files → sign_contract with confirm:true
"Which invoices are overdue?" → list_workspace_files with file_type=invoice, sort by due date

Notes

Each vendor = separate session keyed by portal origin (e.g. https://acme.hbportal.co)
Sessions cached in ~/.honeybook-mcp/sessions.json (mode 0600)
Write tools (sign_contract, pay_invoice) return deep links in v2
Session expires → re-run use_magic_link with a fresh URL from the vendor's email

Comments

Loading comments...