百望股份智能发票查验
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill largely matches its invoice-checking purpose, but it under-discloses persistent device fingerprinting while handling sensitive invoices and recharge orders.
Install only if you trust this publisher and provider endpoint. Before initializing, understand that the skill may create a persistent local identity and send invoice data to the remote API. Use narrowly selected folders, avoid unrelated private files, and require explicit confirmation before any recharge order.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The service may be able to link usage to the same device or local user over time, even though the user did not provide an account.
The code derives a stable device fingerprint from local system, username, hostname, and MAC-address information and appears to send it during remote API-key initialization. The docs say no account/API key is needed, but do not disclose this device-identity collection.
const parts = [os.platform(), os.arch(), os.hostname(), safeUserName(), collectMacAddresses().join("|")]; ... return stableHash("device_", parts.join("||")); ... "/api/v4/plugin/key/init", { clientInstanceId, deviceFingerprDisclose the fingerprinting clearly before initialization, ask for consent, avoid using MAC/username/hostname where possible, and provide a documented reset/delete path.
Invoice contents and related financial data may leave the local machine and be processed by the remote service.
The skill sends request bodies to an external provider API. For this invoice-verification skill, those bodies can include invoice text, images, and related data selected by the user.
const DEFAULT_API_BASE_URL = "https://51yzt.cn/assetInnovate"; ... fetch(`${baseUrl}${endpoint}`, { method, headers: buildHeaders(appKey, requestId), body: body ? JSON.stringify(body) : undefined })Use the skill only with invoices you are allowed to send to this provider, verify the API endpoint, and avoid broad folders containing unrelated private files.
A user request about buying or recharging could result in an order being created.
The agent instructions allow the skill to create recharge orders when it infers a clear amount, and the skill can be invoked implicitly. This is disclosed and purpose-aligned, but it is still a purchase/order action.
default_prompt: "... 以及创建和查询充值订单。... 明确选金额时用 create-order。" ... policy: allow_implicit_invocation: true
Require an explicit final confirmation for create-order actions, including amount, package, and payment implications.
Users have less ability to confirm that this integration is official or maintained by the claimed provider.
The skill claims to provide a Baiwang invoice-verification service and handles sensitive invoice data, but the registry metadata does not provide a verifiable source or homepage.
Source: unknown; Homepage: none
Verify the publisher and service endpoint before sending real invoice data or creating recharge orders.