Invoice Forge
PassAudited by ClawScan on May 10, 2026.
Overview
Invoice Forge appears to be a local invoice generator with no evidence of hidden network or credential behavior; the main things to watch are local financial data storage and direct file-changing commands.
This looks reasonable for local invoice generation. Before using it, review the Python files, run it only in a dedicated folder, keep backups of the JSONL data files, and remember that client and invoice details are stored locally and may contain sensitive business information.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You have less independent information about where the code came from, even though the provided code appears local and purpose-aligned.
The skill is not installed from a declared upstream source and has limited provenance metadata, although the included artifacts do not show remote downloads or hidden install-time code.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the included Python files before use and run the tool in a project folder where local invoice data is expected.
If the agent or user runs the wrong command, a local client record could be changed or removed.
The skill includes local mutation commands that can delete or rewrite client records. This is expected for client management, but it affects business data.
def delete_client(self, client_id: str) -> bool: ... clients = [c for c in clients if c.get("client_id") != client_id] ... self._write_all_clients(clients)Use explicit instructions for create/update/delete operations and keep backups of the data files, especially before bulk edits.
Client names, emails, addresses, phone numbers, invoice amounts, and payment status may remain on disk after use.
The tool stores client contact details in persistent local JSONL files so they can be reused for invoices and reports.
"name": name, "email": email, "address": address, "phone": phone, ... with open(self.clients_file, "a", encoding="utf-8") as f: f.write(json.dumps(client) + "\n")
Store the skill data directory in a private location, avoid syncing it to untrusted cloud folders, and back it up securely.
Malicious or accidental HTML in client names, notes, or line items could affect the generated invoice page.
Invoice text is inserted into generated HTML without visible HTML escaping in the provided snippet. If untrusted text contains markup or script, the browser may render it as HTML when the invoice is opened.
items_html += f"""\n <tr>\n <td>{desc}</td>\n <td class=\"text-right\">{qty}</td>Use trusted plain text in invoice fields, or update the template code to HTML-escape all user-controlled values before rendering.