freelance invoice tracker
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is clearly about invoice follow-up, but it asks the agent to automatically send payment reminders and final notices to clients using sensitive financial/contact data without clear approval or credential boundaries.
Only install this if you are comfortable giving the agent access to your invoice sheet and communication channels. Configure it to preview drafts and ask before sending any client email or WhatsApp message, and use restricted credentials tied only to this invoicing workflow.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Incorrect or stale sheet data could cause clients to receive inappropriate payment demands or final notices, potentially harming business relationships.
The skill directs the agent to periodically scan invoice data and automatically send external payment reminders/final notices, but the visible instructions do not require user approval or message review before sending.
Every day at 9 AM IST, scan the `Invoices` sheet ... Send reminders on these triggers ... +30 | Final notice | Email + WhatsApp + alert to freelancer
Require explicit user confirmation before each outbound email or WhatsApp message, add a dry-run/preview mode, log sent reminders, and include deduplication and stop-list controls.
The agent may need or use broader email/communication account access than the registry makes clear, which could send messages from the wrong account or with excessive authority.
The artifact declares only Google Sheets credentials but also instructs use of Gmail/SMTP and WhatsApp-style outbound messaging, without specifying required communication credentials, account scope, or permission limits.
metadata: {"openclaw":{"requires":{"env":["GOOGLE_SHEETS_CREDENTIALS","INVOICE_SHEET_ID"]} ... Use Gmail API or SMTP (based on env `EMAIL_PROVIDER`: `gmail` or `smtp`).Declare all required email/SMTP/WhatsApp credentials, use least-privileged accounts, clearly identify the sending account, and require user approval before using those accounts.
Private invoice, client, and banking details will enter the agent workflow and may be inserted into outgoing messages.
The skill reads and uses client contact details, invoice/payment status, GST information, and bank/UPI details from the Google Sheet. This is purpose-aligned, but it is sensitive financial and contact data.
Client Email ... Client WhatsApp ... Amount ... Status ... freelancer_gstin ... account_number ... ifsc ... upi_id
Limit the service account to the intended sheet, protect the sheet from untrusted edits, avoid logging sensitive fields, and treat spreadsheet contents as data rather than instructions.