Holded Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: holded-skill Version: 0.2.3 The skill bundle is designed with robust safety protocols, particularly for write operations. The `SKILL.md` actively mitigates prompt injection risks by mandating explicit user confirmation for all data modifications, repeating commands for verification, and rejecting ambiguous replies. While the `--skip-validation` flag is used in a specific scenario (`isReceipt` for purchase receipts), it is explicitly justified as a workaround for a schema mismatch and is accompanied by instructions to enforce specific values, demonstrating an intent for controlled use rather than malicious bypass. There is no evidence of data exfiltration, backdoors, or other malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If confirmed, commands could change or delete important business, accounting, invoice, contact, product, CRM, project, or team data in Holded.
The skill can perform high-impact ERP mutations, including deletes, but the artifacts also require explicit user confirmation before writes.
Use when the user asks to read, search, create, update, or delete Holded entities ... Ask for explicit user confirmation every time before any write action.
Review the exact command and payload before confirming any write, use the least-privileged Holded API key available, and be especially careful with delete or accounting actions.
A mistaken purchase-receipt payload could create incorrect accounting records if the user confirms it.
The skill intentionally bypasses client-side validation for purchase receipts. This is disclosed and scoped, but it reduces a safety check.
Since holdedcli validates against Holded's schema (which doesn't include `isReceipt`), you must use `--skip-validation` flag.
Only use --skip-validation for the documented receipt case, and manually verify document type, tax treatment, totals, and contact IDs before confirming.
Anyone or any agent process with access to the configured key may be able to read or modify Holded data within that key's scope.
The skill uses a Holded API key and may rely on a local Holded CLI config file, which grants account access according to the key's permissions.
Credentials (priority) 1. `--api-key` 2. `HOLDED_API_KEY` 3. `~/.config/holdedcli/config.yaml`
Use a dedicated, least-privileged API key if possible, avoid exposing it in shared logs or prompts, and rotate or revoke it if no longer needed.
The behavior ultimately depends on the installed holded CLI and its Homebrew tap, not only on this instruction file.
The skill depends on an external Homebrew formula for the holded CLI; that executable is not included in the skill artifacts reviewed here.
brew | formula: jaumecornado/tap/holded | creates binaries: holded
Install the CLI only from a trusted source, review the linked project or tap if needed, and keep it updated through normal package-management practices.