Is mintannn/invoice-collector safe?

Both SKILL.md inline snippets and scripts/collect_invoices.sh launch Puppeteer with --no-sandbox and --disable-setuid-sandbox to screenshot email bodies. Any malicious HTML in a received email — whether a targeted attack or a mass-spam campaign — could exploit a Chromium renderer vulnerability and achieve arbitrary code execution on the host, unconfined by the browser sandbox. The skill author acknowledges this risk in the Security Considerations section.

The skill requires gogcli authenticated with full Gmail API access (read, modify, send). This is not scoped to a specific label or sender list. Any agent operating under this skill has programmatic access to the entire Gmail inbox, sent mail, and drafts. A compromised agent or one manipulated via prompt injection in an email could exfiltrate any message, not just billing emails.

The destination address passed to 'gog gmail send --to' is taken directly from the config JSON field 'destination' or from agent instruction. There is no allowlist, domain restriction, or confirmation step. An attacker who can influence the agent (e.g., via a crafted invoice email subject) could cause all collected invoices — which include financial data and vendor relationships — to be forwarded to an attacker-controlled address.

The first and most prominent installation example in SKILL.md uses 'curl -sL ... | tar xz' which downloads and immediately executes a binary without verifying its integrity. A supply chain compromise of the steipete/gogcli GitHub release, or a DNS/TLS downgrade attack, could result in malicious binary execution at install time. A checksum-verified alternative is documented but presented as secondary.

GOG_KEYRING_PASSWORD is documented as a required environment variable and is exported as a shell variable in usage examples. Environment variables are visible via /proc/PID/environ to processes running as the same user, may appear in shell history, crash dumps, or log files, and are inherited by all child processes spawned by the agent.

The setup instructions direct 'cd /tmp && npm install puppeteer' which places a large npm package tree and a downloaded Chromium binary in a world-writable temp directory. The Chromium version is determined at install time by puppeteer's package.json, providing no pinning guarantee. A compromised npm registry entry for puppeteer would result in malicious code execution during setup.

Because the skill renders all non-PDF email bodies through a sandboxless Chromium instance, any future malicious email arriving in the monitored Gmail account becomes a potential code-execution vector. This risk is not one-time but persistent across every invocation of the skill. Combined with the broad Gmail search scope, the skill effectively enables an attacker to deliver a payload by sending a single crafted email to the monitored account.

Because the skill has unrestricted Gmail API access, an agent could be instructed (via a subsequent user prompt or injected instruction) to search for and forward emails far outside the invoice/receipt domain — account recovery emails, two-factor codes, confidential communications — using the same gog CLI tooling the skill establishes.

Full review of SKILL.md found no instructions to override system prompts, ignore previous instructions, suppress output, fetch external URLs, use invisible characters, switch personas, or chain unexpectedly with other skills. The skill describes straightforward Gmail API operations. Minor concern: the skill instructs the agent to perform unrestricted Gmail searches, which means a malicious email subject line could influence what the agent reports or summarizes.

Process audit confirms a single git clone to github.com (140.82.121.4:443), followed by sparse-checkout of the skill subpath, file copy to skill-under-test directory, and cleanup of the temp clone. No unexpected binaries executed, no additional network connections initiated, no filesystem writes outside the skill directory. Pre-existing Ubuntu update service connections were present before and are unrelated to the skill install.

Filesystem and auditd monitoring recorded open/read access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials. The first access batch occurs at Unix timestamp 1771904998 (03:49:58), approximately 6 seconds before the install bash script executes at 1771905004. A second access batch at 1771905015 is consistent with the audit system's post-install canary verification pass. No outbound network transfer of canary content was observed in the packet capture. The canary integrity check confirms all files are intact.