FGO Invoicing
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its FGO invoicing purpose, but it can change or delete real invoice records and only clearly requires confirmation for issuing invoices.
Use this only with an FGO account you intend the agent to operate. Test with the UAT API first, keep FGO_CHEIE_PRIVATA private, avoid sharing debug output, and require a separate explicit confirmation before issuing, cancelling, deleting, or reversing any real invoice.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could cancel, delete, or reverse real invoice records without a documented extra confirmation step, which could disrupt accounting or customer records.
The agent prompt includes destructive or corrective invoice operations, but only invoice issuance is explicitly marked as requiring confirmation.
cancel/delete invoices, create storno reversals ... Treat real invoice issuance (emit-invoice --allow-final) as a high-impact action requiring explicit user confirmation.
Require explicit user confirmation for cancel-invoice, delete-invoice, and reverse-invoice, and consider adding an allow-final style flag for every high-impact mutation.
Anyone or any agent process with these credentials may be able to issue, inspect, cancel, delete, or reverse invoices through the FGO account.
The skill requires an FGO private API key and company tax identifier; this is expected for the integration, but it gives the CLI authority over invoice operations.
FGO_COD_UNIC — company CUI ... FGO_CHEIE_PRIVATA — FGO private API key
Use the least-privileged FGO API user available, prefer the UAT endpoint for testing, keep credentials in environment variables, and avoid sharing debug logs.
Users have less context for who maintains the helper script before granting it access to invoicing credentials.
The registry metadata does not provide an external source or homepage for independent provenance review.
Source: unknown; Homepage: none
Review the bundled script before use and install only if you trust the publisher and the code shown in the artifacts.