← Back to Skills Marketplace

Honeybook

Name: Honeybook
Author: chrischall

by chrischall · GitHub ↗ · v0.1.10 · MIT-0

cross-platform ⚠ suspicious

140

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install honeybook

Description

This skill should be used when the user asks about HoneyBook client-portal data. Triggers on phrases like "check HoneyBook", "sign contract", "pay invoice",...

README (SKILL.md)

honeybook-mcp

MCP server for HoneyBook's client portal — 8 tools for viewing contracts and invoices across multiple wedding vendors, with magic-link session capture and deep-link fallback for signing and paying.

Tools

use_magic_link — Capture a session from a vendor magic-link URL
list_active_sessions — Show currently active portal sessions
list_workspace_files — All files one vendor has shared (filter by type)
get_workspace_file — Full detail for one file
get_workspace — Workspace detail + status flags
list_payment_methods — Saved payment methods
sign_contract — Deep link to sign in portal (requires confirm:true)
pay_invoice — Deep link to pay in portal (requires confirm:true)

Workflows

First time → user pastes magic-link URL from vendor email → use_magic_link → session captured
"What contracts haven't I signed?" → list_workspace_files with file_type=agreement, filter by is_file_accepted=false
"Summarize my HB status with Silk Veil" → get_workspace (status flags) + list_workspace_files
"Send me a link to sign the photographer's contract" → list_workspace_files → sign_contract with confirm:true
"Which invoices are overdue?" → list_workspace_files with file_type=invoice, sort by due date

Notes

Each vendor = separate session keyed by portal origin (e.g. https://acme.hbportal.co)
Sessions cached in ~/.honeybook-mcp/sessions.json (mode 0600)
Write tools (sign_contract, pay_invoice) return deep links in v2
Session expires → re-run use_magic_link with a fresh URL from the vendor's email

Usage Guidance

This skill appears to implement HoneyBook portal operations but has important gaps and ambiguities. Before installing or using it: (1) do not paste magic-link URLs (they contain access tokens) into an agent you don't fully trust; (2) ask the skill author to declare the config path(s) and to explain how sessions.json is stored and protected (encryption at rest, TTL for tokens, exact contents); (3) insist that write operations (signing, paying) require an explicit, human-confirmed step and that the skill return deep links instead of auto-submitting payments; (4) get clarity on how the agent 'captures' magic links (it should require the user to paste the link manually and never try to read email/clipboard without explicit permission); and (5) consider rejecting the skill or using it only in a tightly controlled environment until the author fixes the metadata (declare config paths) and documents safety/privacy controls. If the author provides those clarifications and limits persistence of sensitive tokens, reassess — otherwise treat the skill with caution.

Capability Analysis

Type: OpenClaw Skill Name: honeybook Version: 0.1.10 The honeybook skill bundle provides a standard Model Context Protocol (MCP) interface for managing HoneyBook client portal data, such as contracts and invoices. The documentation (SKILL.md) describes legitimate workflows for session management using magic links and local storage in ~/.honeybook-mcp/sessions.json with appropriate file permissions (0600). No malicious instructions, prompt injection attempts, or indicators of unauthorized data exfiltration were found in the provided metadata or skill instructions.

Capability Tags

cryptocan-make-purchases

Capability Assessment

⚠ Purpose & Capability

The skill's stated purpose (viewing/signing/paying HoneyBook portal items) is plausible for the listed tools, but the SKILL.md references a persistent session cache at ~/.honeybook-mcp/sessions.json even though the skill metadata declared no required config paths. Requesting no credentials is plausible if using magic links, but the persistent storage of session tokens should have been declared and justified.

⚠ Instruction Scope

The instructions say the agent 'captures a session from a vendor magic-link URL' but do not specify how that capture happens (user paste only, reading clipboard, fetching email, or scripting a browser). That vagueness could let the agent attempt broad actions to obtain tokens. The SKILL.md also directs writing session state to the user's home directory and performing write actions (sign_contract, pay_invoice) that require explicit confirmation but otherwise could enable transactions.

✓ Install Mechanism

This is an instruction-only skill with no install spec or code files, so there is no installer risk or arbitrary downloads.

⚠ Credentials

No environment variables or credentials are declared, which is consistent with using magic links, but the skill claims to list payment methods and store sessions (sensitive data) without declaring or explaining storage/encryption. The absence of declared config paths contradicts the SKILL.md reference to a specific sessions.json path.

⚠ Persistence & Privilege

The skill persists session tokens in ~/.honeybook-mcp/sessions.json (mode 0600) per SKILL.md, which is a lasting, sensitive artifact. Although always:false and autonomous invocation are normal, persistent session storage increases the blast radius if the agent or skill is compromised and the path was not declared up front.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install honeybook
After installation, invoke the skill by name or use /honeybook
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.1.10

No changes detected for version 0.1.10. - No updates or modifications were made in this release.

v0.1.9

No changes detected in this version. - No file or documentation changes found for version 0.1.9. - Functionality and description remain the same as the previous release.

v0.1.8

No user-facing changes in this release. - Version bump only; no files were modified. - All features and workflows remain unchanged.

v0.1.7

No user-facing changes in this release. - Version bumped to 0.1.7 - No file changes detected

v0.1.6

No changes detected in this version. - Version 0.1.6 was released with no file modifications or updates to features, tools, or documentation.

v0.1.5

No changes detected in this version. - The SKILL.md and related files remain unchanged from the previous version.

v0.1.4

HoneyBook skill v0.1.4 - Added detailed skill overview, triggers, and tool descriptions to SKILL.md - Clarified use-cases and workflows for managing contracts, invoices, and payments across multiple wedding vendors - Documented input triggers for the skill, including common user requests and phrases - Outlined security and session-handling behavior for portal access - Updated documentation to guide users on how to check contract and invoice statuses, sign contracts, and pay invoices via deep links

Metadata

Slug honeybook

Version 0.1.10

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 7

Frequently Asked Questions

What is Honeybook?

This skill should be used when the user asks about HoneyBook client-portal data. Triggers on phrases like "check HoneyBook", "sign contract", "pay invoice",... It is an AI Agent Skill for Claude Code / OpenClaw, with 140 downloads so far.

How do I install Honeybook?

Run "/install honeybook" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Honeybook free?

Yes, Honeybook is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Honeybook support?

Honeybook is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Honeybook?

It is built and maintained by chrischall (@chrischall); the current version is v0.1.10.

More Skills