中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
invoice-scan
AI-powered invoice OCR, scanning, and data extraction
The invoice-scan skill is a well-documented invoice OCR and data extraction tool with transparent behavior, clear privacy disclosures, and legitimate use of filesystem, network, and shell resources aligned with its declared purpose.
Skill Nameinvoice-scan
Duration55.7s
Enginepi
Safe to install
This skill is safe to use. Ensure users understand the privacy implications of CLI mode sending invoice data to Anthropic's API. Agent-native mode is recommended for privacy-sensitive environments.

Findings 1 items

Severity Finding Location
Low
Dependencies use caret ranges rather than pinned versions Supply Chain
package.json specifies sharp ^0.33.0 and xlsx ^0.18.5 with caret ranges instead of exact pinned versions. While these are stable, widely-used packages with no known compromises, strict pinning would be more secure.
"sharp": "^0.33.0"
→ Consider pinning to exact versions (e.g., [email protected]) for reproducible builds, especially in production environments.
 scripts/package.json:35
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned SKILL.md declares output file writes to {WORKSPACE}/invoice-scan/output/; code c…
Network READ READ ✓ Aligned SKILL.md declares external endpoint api.anthropic.com; scanner.js:195 confirms f…
Shell WRITE WRITE ✓ Aligned SKILL.md declares npm install --production; package.json specifies sharp and xls…
Environment READ READ ✓ Aligned SKILL.md declares ANTHROPIC_API_KEY env var requirement; cli.js:47 reads from pr…
Skill Invoke NONE NONE No inter-skill invocation observed
Clipboard NONE NONE No clipboard access found in codebase
Browser NONE NONE No browser automation present
Database NONE NONE No database access found in codebase

File Tree

21 files · 140.4 KB · 3726 lines
JavaScript 17f · 3437L Markdown 3f · 249L JSON 1f · 40L
├─ 📁 references
│ ├─ 📝 canonical-schema.md Markdown 57L · 2.4 KB
│ └─ 📝 validation-rules.md Markdown 53L · 2.5 KB
├─ 📁 scripts
│ ├─ 📁 adapters
│ │ ├─ 📜 base.js JavaScript 180L · 5.8 KB
│ │ ├─ 📜 claude.js JavaScript 298L · 12.5 KB
│ │ └─ 📜 index.js JavaScript 41L · 918 B
│ ├─ 📁 extraction
│ │ └─ 📜 scanner.js JavaScript 302L · 9.9 KB
│ ├─ 📁 output
│ │ ├─ 📜 csv.js JavaScript 99L · 3.4 KB
│ │ ├─ 📜 excel.js JavaScript 182L · 5.9 KB
│ │ ├─ 📜 index.js JavaScript 37L · 1.1 KB
│ │ ├─ 📜 json.js JavaScript 9L · 186 B
│ │ └─ 📜 prepare.js JavaScript 290L · 10.1 KB
│ ├─ 📁 preprocessing
│ │ └─ 📜 preprocess.js JavaScript 127L · 3.4 KB
│ ├─ 📁 schema
│ │ └─ 📜 canonical.js JavaScript 159L · 5.4 KB
│ ├─ 📁 test
│ │ └─ 📜 run-tests.js JavaScript 766L · 36.7 KB
│ ├─ 📁 validation
│ │ ├─ 📜 arithmetic.js JavaScript 154L · 5.8 KB
│ │ ├─ 📜 completeness.js JavaScript 261L · 8.9 KB
│ │ └─ 📜 document-rules.js JavaScript 317L · 10.5 KB
│ ├─ 📜 cli.js JavaScript 169L · 5.6 KB
│ ├─ 📜 index.js JavaScript 46L · 1.2 KB
│ └─ 📋 package.json JSON 40L · 993 B
└─ 📝 SKILL.md Markdown 139L · 7.3 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
sharp ^0.33.0 npm No libvips-based image processing library
xlsx ^0.18.5 npm No Excel file generation library (SheetJS)

Security Positives

✓ Agent-native mode performs ALL processing locally without any network access or external API calls
✓ Comprehensive privacy notice explicitly warns users about data transmission in CLI mode
✓ Clear documentation distinguishing between agent-native and CLI modes with their respective capabilities
✓ No credential harvesting — ANTHROPIC_API_KEY is only used for its declared purpose (authenticating to Claude API)
✓ No suspicious patterns: no base64 execution, no direct IP calls, no os.environ iteration, no curl|bash patterns
✓ Filesystem access is scoped to specific input files and a dedicated output directory
✓ Dependencies (sharp, xlsx) are well-known, stable image processing libraries
✓ No hidden functionality or shadow behavior — code matches documentation
✓ Comprehensive validation pipeline (arithmetic, document rules, schema, completeness) suggests a professional, legitimate project