ClawHub Dev Invoice

Security checks across malware telemetry and agentic risk

Overview

This is a narrow local invoice-generation skill; it handles client billing details but does not show hidden network access, credential use, persistence, or destructive behavior.

Install only if you want this Thomas/OpenClaw-style invoicing workflow. Before sending invoices, verify sender/payment details, tax assumptions, and client data; avoid committing invoice JSON/HTML/PDF files to repositories or sharing them insecurely. The bundled Python and JSON appear HTML-escaped and may need correction to run, which is a functionality issue rather than a security concern.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The skill processes and sends invoices containing client personal data such as names, addresses, and email addresses, yet provides no guidance on secure handling, storage, redaction, retention, or transmission. In a billing workflow, this omission increases the risk of accidental disclosure through shared files, insecure output directories, email misdelivery, or unprotected generated documents.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal