ClawHub

Invoice Generator

v1.0.0

Generate professional PDF invoices from JSON data. Use when the user needs to create an invoice, billing document, or payment request with company/client details and line items.

2· 3.9k·24 current·24 all-time
byTomás Migone@tmigone
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (generate PDFs from JSON) matches the required binaries (node, jq, weasyprint) and the single env var INVOICE_DIR. Requesting a directory path as the primaryEnv is unusual but explainable (output/config location). Handlebars dependency is appropriate for templating.
!
Instruction Scope
Runtime instructions and the script operate within the stated purpose (read JSON from stdin/file/config, render HTML with Handlebars, convert to PDF with weasyprint, write to $INVOICE_DIR). However, the script references assets/invoice.hbs (template) which is not present in the provided file manifest — that makes the skill incomplete and will cause failures or unexpected behavior. The script also reads configs from $INVOICE_DIR/configs and will write PDFs to $INVOICE_DIR/invoices; ensure that INVOICE_DIR is set to a safe directory (not a system or credential folder).
Install Mechanism
This is instruction-only with no install spec; the SKILL.md tells users to run 'npm install' in the skill folder. That is reasonable but means network access to npm is required at install time and the node_modules will be created on disk. No remote downloads or unusual installers are used in the package files present.
Credentials
Only INVOICE_DIR is required. That's a directory path (not a secret token) and is directly used to read configs and write invoices, so the requested env var is proportionate. Warning: if a user points INVOICE_DIR at a sensitive system path the script could read or overwrite files in its configs/invoices subpaths — the skill does not request network credentials or other unrelated secrets.
Persistence & Privilege
always is false and the skill does not request persistent platform-level privileges. It writes generated files under the user-specified INVOICE_DIR and creates a local node_modules when installing — standard behavior for a CLI-style skill.
What to consider before installing
This skill appears to do what it says (render a Handlebars template to HTML then convert to PDF), but before installing or running it you should: 1) Verify the template assets/invoice.hbs exist and inspect their contents (the manifest provided to me is missing that file). 2) Run npm install in a controlled environment (it downloads Handlebars from the public registry). 3) Set INVOICE_DIR to a dedicated folder you control (not /, /etc, your home dir with sensitive files, or any system credential folder) so the script cannot accidentally read or overwrite important files. 4) Ensure weasyprint is installed from a trusted package source. 5) If you need stronger assurance, run the script in a sandbox/container and review node_modules and assets before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cek1pt9rvrhtpba3t53ct2s7zqnr1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧾 Clawdis
Binsnode, jq, weasyprint
EnvINVOICE_DIR
Primary envINVOICE_DIR

Comments