Invoice Collector

This skill appears to do what it claims, but take these precautions before installing or running it: - Gmail access is required: the skill uses gogcli OAuth tokens to read/send your mail. Only grant this to an account you trust and understand the scope (read and send). Treat those tokens as highly sensitive. - Avoid exporting passwords on the command line. SKILL.md suggests exporting GOG_KEYRING_PASSWORD; doing that writes secrets into shell history. Prefer using a config file or secure keyring prompts instead. - Puppeteer runs Chromium with --no-sandbox (documented). Rendering arbitrary email HTML without a sandbox increases risk; run this in an isolated environment (dedicated VM/container) if you process untrusted senders. - Verify gogcli install sources: the examples use GitHub releases (common), but do not pipe unverified archives blindly — follow the SKILL.md guidance to verify checksums or use your OS package manager. - Inspect the included script (scripts/collect_invoices.sh) and test on a limited mailbox subset before running broadly. Confirm the destination email address in the config to avoid accidental data leakage. If you want higher assurance, ask the maintainer for (1) a declared list of required environment variables in the registry metadata to match SKILL.md, (2) a verified install method (checksums or package manager), and (3) an option that avoids sending keyring passwords via env variables.