ClawHub

FGO Invoicing

v1.0.1

Issue FGO.ro invoices through the FGO API with local automation. Use for FGO tasks such as validating invoice payloads, issuing invoices, checking invoice st...

0· 275·0 current·0 all-time
byMaverick@maverick-ai-tech
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description describe interacting with the FGO API and the skill only requires python3 plus FGO_COD_UNIC and FGO_CHEIE_PRIVATA — these are exactly the credentials the FGO API needs. No unrelated binaries, hosts, or secrets are requested.
Instruction Scope
SKILL.md focuses on building/validating invoice payloads and calling FGO endpoints, and explicitly recommends dry-run and confirmation before final issuance. It also documents input-file safety and warns not to expose the private key. One operational note: the CLI supports a debug mode that prints full request/response bodies to stderr; while the private key itself is not sent in headers, debug logs can reveal sensitive invoice data (and the computed Hash). Disable debug in production and avoid piping stderr to untrusted collectors.
Install Mechanism
Instruction-only with an included Python script; no install spec or external downloads. Risk is low because nothing is fetched or executed from arbitrary URLs.
Credentials
Only two required env vars are declared (FGO_COD_UNIC, FGO_CHEIE_PRIVATA) and they directly map to the documented API authentication model. Optional vars (base URL, timeout, retries, debug) are reasonable. No unrelated credentials or large set of secrets are requested.
Persistence & Privilege
Skill is not always-on and uses normal agent invocation. It does not request persistent system-wide privileges or modify other skills. No install-time hooks or config overwrites are declared.
Assessment
This skill appears to do exactly what it claims: drive the FGO API from a local Python CLI. Before installing/using: (1) store FGO_CHEIE_PRIVATA securely (do not paste it into chat or logs), (2) test with the UAT base URL and use --dry-run first, (3) avoid enabling debug when handling real invoices because it logs request/response bodies to stderr which can expose invoice data, (4) inspect scripts/fgo_cli.py in your environment if you want to confirm the input-path confinement and logging behavior are enforced, and (5) keep the skill's env vars scoped to a dedicated runtime (or secret manager) so other tools/processes can't read them. I give medium confidence because some parts of the CLI implementation are truncated in the provided view; confirm the input-file confinement and file-read validation in the actual script before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk978b2wde08hyf589vr3g3fmyn81zs1x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3
EnvFGO_COD_UNIC, FGO_CHEIE_PRIVATA
Primary envFGO_CHEIE_PRIVATA

Comments