ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawHub Dev Invoice

v1.0.0

Generate professional invoices for ClawHub/OpenClaw skill development services. Use when billing for custom AgentSkills: creation, editing, testing, ClawHub...

0· 47·0 current·0 all-time
by@skunnyo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md, and the provided script/assets all align with an invoice generator for ClawHub development services. No unexpected cloud credentials, binaries, or config paths are requested.
!
Instruction Scope
Runtime instructions are limited to local invoice generation and optional conversion to PDF (pandoc/wkhtmltopdf). However, the included Python script contains a syntax error (missing colon on the if __name__ == "__main__" line) that prevents execution as-is, and it directly interpolates client-supplied strings into HTML without sanitization, which can lead to HTML injection/XSS when viewing the generated HTML in a browser.
Install Mechanism
No install spec; instruction-only with a small local script and templates. No downloads or external installers are requested.
Credentials
The skill requests no environment variables, credentials, or system config paths. Documentation includes a static contact/payment email, but this is part of the invoice template rather than a required secret.
Persistence & Privilege
always is false and no special persistence or cross-skill modification is requested. The skill does not request elevated or ongoing privileges.
What to consider before installing
This skill appears to do what it says: generate invoices locally. Do NOT run it in production without review. Fix the Python syntax error (add the missing colon on if __name__ == "__main__"), and sanitize any client-provided strings before embedding them in HTML (escape HTML entities) to avoid XSS when opening the file in a browser. Test generation on non-sensitive/example data, and only convert to PDF using trusted tools you have installed (pandoc, wkhtmltopdf, or a browser). If you rely on the embedded contact/payment details, verify they are correct for your use case.

Like a lobster shell, security has layers — review code before you run it.

latestvk97257eghcvgxymp0rnd7vfw6983v0j8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments