← 返回 Skills 市场
chenzhuowen

invoice-qr-scanner

作者 Evan Chen · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
420
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install invoice-qr-scanner
功能描述
Scan QR codes from invoice receipts and automatically fill electronic invoice applications. Use when user asks to scan QR codes from images, complete electro...
使用说明 (SKILL.md)

Invoice QR Scanner

Overview

This skill enables automatic electronic invoice application by scanning QR codes from receipt images and filling out online invoice forms. It handles the complete workflow from QR code detection to invoice submission.

Workflow

Step 1: QR Code Recognition

When a user provides an invoice receipt image containing a QR code:

  1. Run the QR code recognition script: 
    node scan-qr.js \x3Cimage-path>
  2. The script outputs the decoded QR code URL
  3. If recognition fails, ask user to provide the URL directly

Step 2: Navigate to Invoice System

  1. Open the decoded URL in browser automation
  2. Verify the page loads successfully
  3. Take snapshot to understand form structure

Step 3: Retrieve Company Information

Before filling the form, retrieve the user's company information:

  1. Check memory files for stored invoice header information:
    • Search memory/YYYY-MM-DD.md for recent invoice info
    • Check MEMORY.md for long-term stored details
  2. Required fields typically include:
    • Company name (公司名称)
    • Tax ID/Unified Social Credit Code (税号)
    • Address (地址)
    • Phone number (电话)
    • Bank name (开户行)
    • Bank account number (银行账号)

Step 4: Fill Invoice Form

  1. Analyze the form structure using browser snapshot
  2. Fill in company information fields
  3. Fill in recipient information:
    • Phone number (手机号)
    • Email address (邮箱)
  4. Verify all required fields are completed

Step 5: Review and Submit

  1. Submit the form
  2. Review confirmation page
  3. Verify all information is correct
  4. Report results to user

Error Handling

QR Code Not Recognized

If QR code recognition fails:

  1. Ask user to provide the URL directly
  2. Suggest using phone to scan and share the URL

Form Structure Changes

If the invoice system form structure changes:

  1. Take a new snapshot
  2. Identify updated field references
  3. Adapt the filling process accordingly
  4. Document the new structure for future reference

Missing Information

If required company or contact information is missing:

  1. Ask user to provide the missing details
  2. Update memory files with new information
  3. Continue with the invoice application

Scripts

scan-qr.js

Primary script for QR code recognition from images using Node.js and qrcode-reader library.

Usage:

node scan-qr.js \x3Cimage-path>

Requirements:

  • Node.js environment (v14+)
  • npm packages: qrcode-reader, canvas

Installation:

cd scripts
npm install qrcode-reader canvas

Output:

  • Decoded QR code URL on success (format: "✅ 识别成功: \x3Curl>")
  • Error message on failure (format: "❌ 错误: \x3Cerror message>")

Technology:

  • Uses qrcode-reader library for QR code decoding
  • Canvas for image processing
  • Pure JavaScript implementation (no Worker required)

Memory Integration

This skill relies on stored user information in memory files:

Company Invoice Header Information (stored in MEMORY.md):

  • Company name
  • Tax ID
  • Address
  • Phone number
  • Bank information

Contact Information (stored in MEMORY.md):

  • Mobile phone numbers
  • Email addresses

When filling forms, always reference this information first before asking the user.

Best Practices

  1. Always verify the decoded URL is legitimate before proceeding
  2. Double-check all information before submission
  3. Take snapshots at each step for documentation
  4. Report results clearly to the user after submission
  5. Update memory with new information if user provides corrections
  6. Use auto-complete when available (more accurate than manual input)
安全使用建议
This skill does what it claims (decodes QR codes and attempts to fill invoice forms), but it will read sensitive company data from your agent memory and submit it to whatever URL is encoded in the QR. Before installing: 1) require that the agent always prompt you for confirmation (and show the decoded URL) before opening or submitting to the site; 2) prefer a domain whitelist or manual-approval step for target URLs; 3) verify where snapshots and updated MEMORY.md entries are stored and who can access them; 4) test the scan-qr.js locally to confirm QR output; 5) ensure browser automation runs in a sandboxed environment and that sensitive fields are not auto-submitted without explicit consent. If the author can provide an explicit browser-automation implementation, a forced confirmation step, or domain whitelisting, reassess — those mitigations would reduce the current concerns.
功能分析
Type: OpenClaw Skill Name: invoice-qr-scanner Version: 1.0.0 The skill is classified as suspicious due to potential shell injection vulnerabilities and the inherent risk of opening arbitrary URLs. The `SKILL.md` and `README.md` instruct the OpenClaw agent to execute `node scan-qr.js <image-path>`. If the `<image-path>` argument is derived directly from unsanitized user input, it could lead to shell injection (e.g., `image.jpg; rm -rf /`). Additionally, the skill's core function involves decoding QR code URLs and then instructing the agent to open them via browser automation. While `SKILL.md` advises to 'Always verify the decoded URL is legitimate', the skill itself does not implement this verification, posing a risk if a malicious QR code is scanned. These are significant vulnerabilities/risks, but there is no clear evidence of intentional malicious behavior (e.g., data exfiltration to external endpoints, persistence, or explicit prompt injection for unauthorized actions) within the provided code or instructions.
能力评估
Purpose & Capability
The skill name/description (scan invoice QR and fill invoice forms) matches the included QR decoding script and the stated use of MEMORY.md for company/contact info. However, the SKILL.md references browser automation and live form submission but does not declare or include any browser-automation implementation, dependencies, or explicit user-consent steps—this omission is a gap between claimed capability and what's provided.
Instruction Scope
Instructions tell the agent to: decode a QR to a URL, open that URL in browser automation, read sensitive company/contact data from memory files (MEMORY.md, memory/YYYY-MM-DD.md), fill and submit forms, take snapshots, and update memory. These actions involve reading and transmitting sensitive data (tax ID, bank account, phone, emails) to external endpoints discovered from QR codes. The SKILL.md says to 'Always verify' the URL but does not mandate user confirmation or domain whitelisting before submission, nor does it specify how snapshots and memory updates are stored or protected.
Install Mechanism
There is no install spec (instruction-only skill) which reduces some risk. The repository includes Node.js script and package.json that instructs npm install of qrcode-reader and canvas; canvas has native system dependencies (libcairo, etc.) noted in README. No remote downloads from untrusted URLs are present. Overall install risk is low-to-moderate but the skill assumes availability of browser automation without providing it.
Credentials
The skill requests no environment variables or external credentials, which is good, but it explicitly reads local memory files containing highly sensitive company information (tax ID, bank account numbers, phone numbers, emails) and will transmit them to whatever URL the QR code contains. That is a high-sensitivity operation without declared safeguards; the lack of requested credentials is not sufficient protection because the skill still exfiltrates secrets via the web forms it auto-submits to.
Persistence & Privilege
always:false and default autonomous invocation are set. Autonomous invocation combined with this skill's ability to read memory and submit external forms raises the blast radius if the agent runs without explicit user confirmation. The skill also instructs updating memory files, which is reasonable for its purpose but not documented how writes are controlled or consented to.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install invoice-qr-scanner
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /invoice-qr-scanner 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
初始版本:自动扫描发票二维码并填写电子发票申请
元数据
Slug invoice-qr-scanner
版本 1.0.0
许可证
累计安装 0
当前安装数 0
历史版本数 1
常见问题

invoice-qr-scanner 是什么?

Scan QR codes from invoice receipts and automatically fill electronic invoice applications. Use when user asks to scan QR codes from images, complete electro... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 420 次。

如何安装 invoice-qr-scanner?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install invoice-qr-scanner」即可一键安装,无需额外配置。

invoice-qr-scanner 是免费的吗?

是的,invoice-qr-scanner 完全免费(开源免费),可自由下载、安装和使用。

invoice-qr-scanner 支持哪些平台?

invoice-qr-scanner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 invoice-qr-scanner?

由 Evan Chen(@chenzhuowen)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 留言讨论