ClawHub

发票查验

Security checks across malware telemetry and agentic risk

Overview

This invoice-verification skill appears purpose-built, but it asks users to paste an API key into chat and persist it locally while sending sensitive invoice data to an external service.

Review before installing. Use it only if you trust skill.quandianfapiao.com with invoice files and full invoice metadata. Do not paste a real API key into chat; prefer configuring it through a secure secrets mechanism or a temporary environment variable, and avoid writing long-lived credentials into shell profiles unless you understand local exposure risks.

Publisher note

发票查验技能 验证发票真伪,返回完整票面信息。支持按票面信息(发票号码+开票日期+金额/校验码)查验、上传发票文件(pdf/ofd/xml/jpg/png)查验、查询查验记录三种模式。覆盖增值税 发票、电子发票、机动车发票、火车票、机票行程单、财政票据、海关缴款书等 30+ 票种。

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest says the skill is for invoice authenticity verification, but the code also exposes a record-querying capability that retrieves historical verification records. That expands data access beyond the declared purpose and can expose invoice metadata, counterparties, dates, and status information to users or agents who were only expected to perform one-off verification.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill handles highly sensitive invoice data and instructs persistent storage of the API key in user environment variables, but it does not clearly warn that invoice contents, identities, tax numbers, bank details, and uploaded files may be transmitted to and retained by an external service. It also omits an explicit warning that the API key will be persisted on disk via shell profiles or user-level environment settings, which can expose credentials to other local processes or users.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function uploads arbitrary local file contents together with an API key to a remote service, and this helper contains no consent, disclosure, destination validation, or data-minimization controls. In an invoice-verification skill, users may provide sensitive invoices containing tax IDs, bank details, addresses, and other business data, so silent transmission to an external host creates a real confidentiality and credential-exposure risk if the endpoint is compromised, misconfigured, or unexpected in the execution environment.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The skill instructs the user to send their API key directly to the assistant so it can configure and execute the skill. This encourages secret disclosure to the agent layer rather than using a secure credential-binding mechanism, increasing the risk of credential theft, reuse, logging exposure, or unintended retention.

Ssd 3

Medium
Confidence
99% confidence
Finding
The code explicitly tells the user to provide the apiKey back to the assistant for configuration and execution, which is a direct secret-handling anti-pattern. In an agent environment, this is especially dangerous because chat messages may be logged, inspected, reused across tools, or accessible to components beyond the intended API client.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal