by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's purpose (invoice generation) matches the files and instructions, but the included script has functional bugs and unsanitized HTML output (XSS) risk and should be reviewed/fixed before use.
评估建议
This skill appears to do what it says: generate invoices locally. Do NOT run it in production without review. Fix the Python syntax error (add the missing colon on if __name__ == "__main__"), and sanitize any client-provided strings before embedding them in HTML (escape HTML entities) to avoid XSS when opening the file in a browser. Test generation on non-sensitive/example data, and only convert to PDF using trusted tools you have installed (pandoc, wkhtmltopdf, or a browser). If you rely on the...详细分析 ▾
✓ 用途与能力
Name/description, SKILL.md, and the provided script/assets all align with an invoice generator for ClawHub development services. No unexpected cloud credentials, binaries, or config paths are requested.
⚠ 指令范围
Runtime instructions are limited to local invoice generation and optional conversion to PDF (pandoc/wkhtmltopdf). However, the included Python script contains a syntax error (missing colon on the if __name__ == "__main__" line) that prevents execution as-is, and it directly interpolates client-supplied strings into HTML without sanitization, which can lead to HTML injection/XSS when viewing the generated HTML in a browser.
✓ 安装机制
No install spec; instruction-only with a small local script and templates. No downloads or external installers are requested.
✓ 凭证需求
The skill requests no environment variables, credentials, or system config paths. Documentation includes a static contact/payment email, but this is part of the invoice template rather than a required secret.
✓ 持久化与权限
always is false and no special persistence or cross-skill modification is requested. The skill does not request elevated or ongoing privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/29
v1.0.0: Initial release. Niche invoice generator for ClawHub skill dev billing: standard rates, Sask GST 5%, JSON-to-HTML generator script, tax guidelines.
● 无害
安装命令 点击复制
官方npx clawhub@latest install clawhub-dev-invoice
镜像加速npx clawhub@latest install clawhub-dev-invoice --registry https://cn.clawhub-mirror.com
技能文档
Overview
Specialized tool for Thomas to quickly generate invoices for freelance ClawHub skill dev work. Includes standard rates, Sask tax, professional formatting. Outputs ready-to-send PDF.When to Use
- Client requests quote/invoice for skill work
- Monthly billing summary for ongoing dev
- One-off fixed fee for skill publish/package
- Track billable hours on projects
Standard Rates (CAD)
| Service | Rate |
|---|---|
| Skill Initialization & Basic SKILL.md | $500 fixed |
| Hourly Development/Editing | $150/hr |
| ClawHub Publishing & Validation | $100 fixed |
| Testing/Debugging | $75/hr |
| Expenses (tools, API credits) | Cost + 15% |
| Rush Fee (<48h) | +50% |
Quick Start Workflow
- Collect Data:
- Calculate Totals:
- Generate:
scripts/generate_invoice.py client-data.json for PDF
- Or manually: copy assets/invoice-template.html, edit, exec pandoc to PDF- Send: Attach PDF, reference invoice #.
Resources
scripts/generate_invoice.py
Automates HTML+PDF from JSON input. Run:python scripts/generate_invoice.py input.jsonInput JSON example:
{
"invoice_num": "2026-001",
"date": "2026-03-29",
"due_date": "2026-04-28",
"client": {
"name": "Client Co",
"address": "123 Street, City SK",
"email": "client@example.com"
},
"items": [
{"desc": "Skill init: weather-forecast", "hours": 4, "rate": 150},
{"desc": "ClawHub publish", "fixed": 100}
],
"expenses": 50
}
references/sask_tax_guidelines.md
Sask GST details, terms.assets/sample-input.json
HTML template for manual edits. Style: clean, professional (Arial, tables).数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制