← Back to Skills Marketplace
mintannn

Invoice Collector

by minta · GitHub ↗ · v1.2.0
cross-platform ⚠ suspicious
800
Downloads
2
Stars
1
Active Installs
3
Versions
Install in OpenClaw
/install invoice-collector
Description
Collect invoices/receipts from Gmail and send a summary email with attachments. Automatically downloads PDF attachments or takes screenshots of emails withou...
README (SKILL.md)

Invoice Collector

Collect invoices from Gmail and send them as a summary email with all attachments.

Security Considerations

Puppeteer --no-sandbox Flag

This skill uses --no-sandbox when launching Puppeteer/Chromium. This is required in many environments:

  • WSL (Windows Subsystem for Linux): Chrome sandbox requires kernel features not available in WSL1/WSL2
  • Docker containers: Unless running with --privileged or specific seccomp profiles
  • CI/CD environments: Most runners don't support Chrome's sandbox

Risk: Disabling the sandbox means if a malicious HTML email were rendered, it could potentially execute code outside the browser context.

Mitigation: This skill only renders emails from your own Gmail inbox. The risk is limited to emails you've already received. If you're concerned, review emails before processing or run in an isolated environment.

Installation via curl | tar

The gogcli installation example uses curl -sL ... | tar xz, which is a common pattern but carries supply chain risks if the source were compromised.

Safer alternative (verify checksum):

# Download and verify
curl -sLO https://github.com/steipete/gogcli/releases/latest/download/gogcli_linux_amd64.tar.gz
curl -sLO https://github.com/steipete/gogcli/releases/latest/download/checksums.txt
sha256sum -c checksums.txt --ignore-missing
tar xzf gogcli_linux_amd64.tar.gz
mv gog ~/.local/bin/

macOS users: Use brew install steipete/tap/gogcli which handles verification automatically.

Prerequisites & Setup

1. Install gogcli

# Linux (download binary)
curl -sL https://github.com/steipete/gogcli/releases/latest/download/gogcli_linux_amd64.tar.gz | tar xz
mv gog ~/.local/bin/

# macOS
brew install steipete/tap/gogcli

2. Setup Google OAuth

  1. Go to Google Cloud Console
  2. Create project → Enable Gmail API
  3. Create OAuth credentials (Desktop app)
  4. Download JSON
gog auth credentials ~/path/to/client_secret.json
gog auth add [email protected]

3. Install Puppeteer (for email screenshots)

cd /tmp && npm install puppeteer

4. Install Japanese fonts (optional, for JP emails)

sudo apt install fonts-noto-cjk

Usage

Generic Invoice Search

Search for any invoice/receipt without specifying specific senders:

export GOG_ACCOUNT="[email protected]"
export GOG_KEYRING_PASSWORD="your-password"

# Search all invoices in date range
gog gmail search '(invoice OR receipt OR 請求書 OR 領収書 OR billing OR payment) after:2026/01/01 before:2026/02/01'

# Search with specific criteria
gog gmail search 'subject:(invoice OR receipt) has:attachment after:2026/01/01'

Workflow

  1. Search - Find invoice emails
  2. Download - Get PDFs or screenshot emails
  3. Summarize - Create summary with amounts
  4. Send - Email to destination with attachments

Step 1: Search Invoices

# All invoices from last month
LAST_MONTH=$(date -d "1 month ago" +%Y/%m/01)
THIS_MONTH=$(date +%Y/%m/01)
gog gmail search "(invoice OR receipt OR 請求書 OR 領収書) after:$LAST_MONTH before:$THIS_MONTH" --json

Step 2: Process Each Email

mkdir -p /tmp/invoices

For emails WITH PDF attachments:

# Get message details
MSG_ID="\x3Cmessage_id_here>"
EMAIL_JSON=$(gog gmail read $MSG_ID --json)

# Find PDF attachment
ATTACH_INFO=$(echo "$EMAIL_JSON" | jq -r '.thread.messages[0].payload.parts[]? | select(.filename | test("\\.pdf$"; "i")) | "\(.body.attachmentId)|\(.filename)"' | head -1)
ATTACH_ID=$(echo "$ATTACH_INFO" | cut -d'|' -f1)
FILENAME=$(echo "$ATTACH_INFO" | cut -d'|' -f2)

# Download
gog gmail attachment $MSG_ID "$ATTACH_ID" --out "/tmp/invoices/$FILENAME"

For emails WITHOUT PDF (take screenshot):

MSG_ID="\x3Cmessage_id_here>"

# Extract HTML
gog gmail read $MSG_ID --json | node -e "
const fs = require('fs');
let data = '';
process.stdin.on('data', chunk => data += chunk);
process.stdin.on('end', () => {
  const json = JSON.parse(data);
  const msg = json.thread.messages[0];
  let html = '';
  const findHtml = (p) => {
    if (p.mimeType === 'text/html' && p.body?.data) {
      html = Buffer.from(p.body.data, 'base64').toString('utf-8');
    }
    if (p.parts) p.parts.forEach(findHtml);
  };
  (msg.payload.parts || []).forEach(findHtml);
  if (!html && msg.payload.body?.data) {
    html = Buffer.from(msg.payload.body.data, 'base64').toString('utf-8');
  }
  fs.writeFileSync('/tmp/invoices/email.html', html || '\x3Chtml>\x3Cbody>No content\x3C/body>\x3C/html>');
});
"

# Screenshot
node -e "
const puppeteer = require('puppeteer');
const fs = require('fs');
(async () => {
  const browser = await puppeteer.launch({ headless: 'new', args: ['--no-sandbox'] });
  const page = await browser.newPage();
  await page.setViewport({ width: 800, height: 1200 });
  await page.setContent(fs.readFileSync('/tmp/invoices/email.html', 'utf-8'), { waitUntil: 'networkidle0' });
  await page.screenshot({ path: '/tmp/invoices/receipt.png', fullPage: true });
  await browser.close();
})();
"

Step 3: Extract Invoice Info

Parse email for sender, date, amount:

# Get basic info from email
gog gmail read $MSG_ID --json | jq '{
  from: .thread.messages[0].payload.headers[] | select(.name=="From") | .value,
  subject: .thread.messages[0].payload.headers[] | select(.name=="Subject") | .value,
  date: .thread.messages[0].payload.headers[] | select(.name=="Date") | .value
}'

Step 4: Send Summary Email

gog gmail send \
  --to "[email protected]" \
  --subject "【$(date +%Y年%m月)】請求書まとめ" \
  --body "請求書・領収書を添付します。

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 請求書まとめ
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

【添付ファイル】
1. Invoice-001.pdf - Service A
2. Receipt.png - Service B (メールスクショ)

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

このメールは自動生成されました。
" \
  --attach /tmp/invoices/Invoice-001.pdf \
  --attach /tmp/invoices/Receipt.png

Example Prompts

Generic:

  • "先月の請求書を全部集めてまとめて送って"
  • "invoiceで検索して今月届いた請求書を[email protected]に転送して"
  • "has:attachment receipt で検索して請求書集めて"

Specific:

  • "AnthropicとVercelとAWSの請求書を集めて"
  • "from:stripe の請求書を過去3ヶ月分まとめて"

Tips

  • Date format: YYYY/MM/DD for gog search
  • PDF priority: Always prefer PDF attachments over screenshots
  • Japanese fonts: Required for correct rendering of JP emails
  • Cleanup: rm -rf /tmp/invoices after sending
  • Cron: Set up monthly cron job for recurring collection
Usage Guidance
This skill appears to do what it claims, but take these precautions before installing or running it: - Gmail access is required: the skill uses gogcli OAuth tokens to read/send your mail. Only grant this to an account you trust and understand the scope (read and send). Treat those tokens as highly sensitive. - Avoid exporting passwords on the command line. SKILL.md suggests exporting GOG_KEYRING_PASSWORD; doing that writes secrets into shell history. Prefer using a config file or secure keyring prompts instead. - Puppeteer runs Chromium with --no-sandbox (documented). Rendering arbitrary email HTML without a sandbox increases risk; run this in an isolated environment (dedicated VM/container) if you process untrusted senders. - Verify gogcli install sources: the examples use GitHub releases (common), but do not pipe unverified archives blindly — follow the SKILL.md guidance to verify checksums or use your OS package manager. - Inspect the included script (scripts/collect_invoices.sh) and test on a limited mailbox subset before running broadly. Confirm the destination email address in the config to avoid accidental data leakage. If you want higher assurance, ask the maintainer for (1) a declared list of required environment variables in the registry metadata to match SKILL.md, (2) a verified install method (checksums or package manager), and (3) an option that avoids sending keyring passwords via env variables.
Capability Analysis
Type: OpenClaw Skill Name: invoice-collector Version: 1.2.0 The skill is classified as suspicious due to the explicit use of Puppeteer with the `--no-sandbox` flag in both the `SKILL.md` instructions and the `scripts/collect_invoices.sh` script. While acknowledged in the documentation as a compatibility requirement, this flag introduces a significant Remote Code Execution (RCE) vulnerability if a malicious HTML email is processed. Additionally, the `SKILL.md` recommends installing `gogcli` via `curl | tar`, which is a supply chain risk, although it also provides a safer alternative. There is no evidence of intentional malicious behavior like data exfiltration to external endpoints, unauthorized persistence, or prompt injection attempts against the agent, but the RCE risk is substantial.
Capability Assessment
Purpose & Capability
The name/description (collect invoices from Gmail, summarize, forward attachments) lines up with the included script and SKILL.md: it requires gogcli for Gmail access, jq for JSON parsing, and node/puppeteer for HTML screenshots. The resources requested are broadly appropriate for the stated purpose.
Instruction Scope
Instructions and the script operate directly on the user's Gmail account (search, read message bodies, download attachments, render HTML, and send email). This is expected for an invoice-gathering tool. The SKILL.md explicitly instructs rendering HTML via Puppeteer (with --no-sandbox) and exporting keyring passwords for gog, which increases operational risk and should be treated carefully.
Install Mechanism
The skill is instruction-only (no platform install spec), but SKILL.md recommends installing gogcli via a curl | tar pipeline and installing puppeteer via npm. The GitHub releases URL is a common source (better than an unknown host), but piping into tar and npm-installing Puppeteer (which downloads Chromium) carry supply-chain and local-execution risks unless checksums or package manager installs are used. The SKILL.md itself recommends verifying checksums or using brew on macOS.
Credentials
Registry metadata listed no required env vars, but SKILL.md documents GOG_ACCOUNT and GOG_KEYRING_PASSWORD; the script also expects a config.json with account/destination fields. The skill requires OAuth credentials (Gmail access) via gogcli — a sensitive capability. Asking users to export GOG_KEYRING_PASSWORD on the shell can expose secrets via shell history. The number and type of credentials are proportionate to the function, but the metadata mismatch and advice to export a keyring password are concerns.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-wide privileges. It runs as a user process, uses temporary directories under /tmp (unique name), and deletes them at the end. It does not modify other skills or system-wide agent config.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install invoice-collector
  3. After installation, invoke the skill by name or use /invoice-collector
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
Added Security Considerations section explaining --no-sandbox requirement and safer installation alternatives
v1.1.0
Added missing runtime requirements (node, jq, puppeteer) and environment variables to metadata
v1.0.0
Initial release of invoice-collector. - Collects invoices/receipts from Gmail and sends a summary email with attachments. - Automatically downloads PDF attachments or generates screenshots if no PDF is present. - Requires gogcli (gog) and Gmail API access to function. - Includes setup instructions for gogcli, Google OAuth, Puppeteer, and optional Japanese fonts. - Step-by-step workflow: search, download, summarize, and send invoices. - Provides example prompts and advanced usage tips.
Metadata
Slug invoice-collector
Version 1.2.0
License
All-time Installs 1
Active Installs 1
Total Versions 3
Frequently Asked Questions

What is Invoice Collector?

Collect invoices/receipts from Gmail and send a summary email with attachments. Automatically downloads PDF attachments or takes screenshots of emails withou... It is an AI Agent Skill for Claude Code / OpenClaw, with 800 downloads so far.

How do I install Invoice Collector?

Run "/install invoice-collector" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Invoice Collector free?

Yes, Invoice Collector is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Invoice Collector support?

Invoice Collector is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Invoice Collector?

It is built and maintained by minta (@mintannn); the current version is v1.2.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments