Is maverick-ai-tech/smartbill-invoicing safe?
https://github.com/openclaw/skills/tree/main/skills/maverick-ai-tech/smartbill-invoicing
The maverick-ai-tech/smartbill-invoicing skill is a focused, well-implemented invoice automation tool for the SmartBill.ro API. The SKILL.md contains no prompt injection attempts and the bundled Python CLI uses only the standard library with appropriate path traversal protections and a --allow-final guard on irreversible invoice issuance. The primary residual risk is an indirect one: the --base-url / SMARTBILL_API_BASE override mechanism creates a credential redirect surface exploitable only if the agent is separately compromised by prompt injection from another source. The financial nature of the operations (invoice issuance cannot be undone) warrants user-level confirmation hygiene in the calling agent, but no malicious behavior was detected in the skill itself.
Category Scores
Findings (7)
MEDIUM API base URL override enables SmartBill credential redirect -12 ▶
The --base-url CLI argument and SMARTBILL_API_BASE environment variable allow redirecting all SmartBill API calls to an arbitrary endpoint. Credentials are sent as HTTP Basic Auth (base64-encoded username:token) on every request. If a second prompt injection vector (e.g., malicious data in a processed document) convinced the agent to supply a hostile base URL, SmartBill credentials would be silently exfiltrated. The skill itself does not instruct this attack but the mechanism is exposed by design.
MEDIUM Irreversible financial invoice issuance with low friction after --allow-final -15 ▶
Once --allow-final is supplied and the API returns success, a legal SmartBill invoice is issued in the user's name and cannot be deleted. While the skill requires explicit flag use, an agent operating under indirect prompt injection could be directed to issue invoices to arbitrary clients with fraudulent line items.
LOW Bundled reference files read by agent at runtime — updatable attack surface -7 ▶
SKILL.md instructs the agent to read references/smartbill-api.md before API calls. A malicious future version of this skill could embed prompt injection instructions in those files. The current versions are clean reference documentation with no injection attempts.
LOW Executable Python script bundled; standard library only, no escalation paths -7 ▶
The skill bundles smartbill_cli.py which is run directly by the agent. The script uses only Python standard library with no subprocess execution, no dynamic code evaluation, and no external package imports. All network activity is directed to the configured SmartBill API endpoint.
LOW Debug mode logs full API request/response bodies to stderr -6 ▶
SMARTBILL_DEBUG=1 or --debug causes the script to print full request and response payloads to stderr. While the Authorization header is redacted, response data including invoice numbers, client VAT codes, and series names is logged in full. In agent environments where stderr is captured to logs, this data could be exposed.
INFO Standard sparse monorepo clone from openclaw/skills — expected behavior -9 ▶
Install performs a depth-1 clone of the openclaw/skills GitHub repository, sparsely checks out only the skill subdirectory, copies files to the installation path, and deletes the temporary clone. No unexpected processes, persistent connections, or out-of-scope filesystem writes were detected. Post-install connection table diff shows no new listeners.
INFO Canary file reads are audit-framework pre/post integrity checks — no exfiltration 0 ▶
Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were accessed in two identical bursts: once before install (1771934795) and once after (1771934819). The simultaneous millisecond-precision access pattern and the passing canary integrity check confirm these are Oathe's own pre/post verification passes, not the skill. The skill's Python script contains no file-read paths targeting these locations.