invoice-extractor

[Skill Scanner] Installation of third-party script detected This skill specification is consistent with its stated purpose: it needs an API key and access to invoice files and sends them to a configurable VLM API to perform extraction, then writes results locally. There is no evidence of obfuscated or malicious code in the provided text. The primary security concern is expected: sensitive invoice contents and the API key are sent to the configured BASE_URL — if a user points BASE_URL to a malicious endpoint (or the default is not the expected provider), that would enable credential and data exfiltration. Users should validate the BASE_URL and treat API_KEY and invoice files as sensitive. Overall the skill appears benign in intent but contains a normal-but-material privacy/exfiltration risk depending on provider configuration. LLM verification: Functionally, the skill appears to implement a reasonable invoice extraction utility. The principal security/privacy concern is that the default BASE_URL is set to dashscope.aliyuncs.com, which routes API keys and sensitive documents to a third party by default without explanation of its trustworthiness or data-retention policies. No direct evidence of malware or obfuscated code exists in the provided documentation, but the default endpoint and lack of implementation visibility constitute a sign