Freelancer Toolkit

Toggl wants you to click Start, remember to click Stop, then manually build a timesheet at month-end. Freelancer Toolkit works the way freelancers actually t...

What to consider before installing: - Dependency mismatch: The scripts require jq (and Bash 4+), but the skill metadata does not declare any required binaries. Make sure jq is installed before running setup, or be prepared to allow the setup script to install it via your package manager (it asks first, but may run sudo). If you don't want package installs, install jq yourself and rerun setup. - Local-only storage: All data is stored in ~/.freelancer-toolkit. The skill's files and scripts do not make network requests themselves, but your OpenClaw agent or any integrations you enable (LLM providers, InvoiceGen Pro) could send data elsewhere. Treat the data directory as sensitive and back it up/encrypt it as appropriate. - Bug/risk in scripts: The client-report and export-timesheet scripts use jq with multiple 'input' calls but pass files in an order that appears incorrect; as a result, reports/exports may be wrong or produce error messages. This is a logic bug, not evidence of data exfiltration, but it means outputs may be unreliable. Review and test the scripts in a safe environment before relying on them for billing. - Setup behavior: setup.sh will create ~/.freelancer-toolkit, set directory permissions (chmod 700) and file permissions (chmod 600). This is reasonable, but confirm these are acceptable on your system. The script will propose installing jq via system package manager if missing — only agree if you trust the environment and the package manager commands shown. - InvoiceGen Pro: The README/SKILL.md mention 'InvoiceGen Pro' handoff but there is no built-in network integration here. If you plan to connect to an external invoice tool, verify how data is transmitted and review that tool's permissions and privacy. Recommendations: 1. Inspect scripts (already included) and run them in a disposable environment or after backing up existing home data. 2. Install jq yourself (or confirm the setup prompt actions) rather than granting automatic package installs without review. 3. Test report/export scripts on a small dataset to confirm outputs are correct; consider fixing the jq input-order bug if you can or contacting the author for a patch. 4. Keep the data directory private (disk encryption, proper backups) and be mindful that your OpenClaw agent's other integrations or LLM calls may expose that data. If you want, I can point out the exact lines in the scripts that are likely buggy and suggest corrected jq invocation patterns.

Type: OpenClaw Skill Name: normieclaw-freelancer-toolkit Version: 1.0.3 The Freelancer Toolkit is a comprehensive skill bundle for time tracking and project management, but it contains path traversal vulnerabilities in its reporting and export logic. Specifically, the script `scripts/client-report.sh` and the instructions in `SKILL.md` use unsanitized client names to construct file paths for writing reports and invoices (e.g., `client-report-${SAFE_NAME}.md`). This lack of input sanitization could allow for arbitrary file overwrites if a malicious client name is introduced into the local database, potentially via indirect prompt injection. While the bundle is well-documented and lacks evidence of intentional malice or data exfiltration, these security flaws pose a risk to the host system.