Invoice Generator
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to locally turn invoice JSON into PDFs without network or account access, but the package references a template file that was not included.
This skill looks benign and purpose-aligned for local invoice PDF generation. Before installing, verify the missing assets/invoice.hbs template is present and reviewed, run npm install only from the included package files, and set INVOICE_DIR to a dedicated private folder for invoice outputs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill will create and save invoice files on disk in the directory the user configures.
The script creates local directories and later writes the generated PDF under INVOICE_DIR. This is expected for an invoice generator, but it is still local file-writing authority.
mkdir -p "$CONFIGS_DIR" "$INVOICES_DIR"
Set INVOICE_DIR to a dedicated folder you control, and avoid pointing it at shared or sensitive directories unless that is intended.
The skill may fail to run as packaged, or a later-added template would need separate review.
The script depends on assets/invoice.hbs, but that file is not listed in the supplied manifest. This is a package completeness/provenance issue rather than evidence of malicious behavior.
node - "$SKILL_DIR/assets/invoice.hbs" "$TEMP_DIR/data.json" "$TEMP_DIR/out.html"
Confirm that assets/invoice.hbs is included and review it before relying on the skill.
Generated invoices may contain client, tax, address, and payment details stored on the local filesystem.
The documented invoice data can include client tax IDs and billing details, and the generated PDF is persisted locally. This is purpose-aligned but sensitive business data should be protected.
"taxId": "TAX123" ... Output goes to: $INVOICE_DIR/invoices/invoice-{number}.pdfUse a protected INVOICE_DIR and be cautious about storing invoices in synced, shared, or world-readable locations.