← Back to Skills Marketplace
jaumecornado

Holded Skill

by jaumecornado · GitHub ↗ · v0.2.3
cross-platform ✓ Security Clean
663
Downloads
0
Stars
1
Active Installs
6
Versions
Install in OpenClaw
/install holded-skill
Description
Operate Holded ERP through holdedcli to read and update data safely. Use when the user asks to read, search, create, update, or delete Holded entities (conta...
README (SKILL.md)

holded-skill

Use holdedcli to read and modify Holded data with a safe, repeatable workflow.

Operational Flow

  1. Confirm technical prerequisites.
  2. Discover available actions with holded actions list.
  3. Inspect the selected action with holded actions describe \x3Caction> --json.
  4. Classify the action as read or write.
  5. If it is a write operation, ask for explicit confirmation before execution.
  6. Run with --json and summarize IDs, HTTP status, and applied changes.

Prerequisites

  • Verify that the binary exists: holded help
  • Verify credentials: holded auth status or HOLDED_API_KEY
  • Prefer structured output whenever possible: --json

Safety Rules

  • ALWAYS check deductibility rules BEFORE creating any document. See "Accounting Rules for Spain" section below.
  • Treat any POST, PUT, PATCH, or DELETE action as write.
  • Treat any GET action (or HEAD when present) as read.
  • Before any operation, always run holded actions describe \x3Caction> --json (after holded actions list) to validate accepted parameters.
  • For purchase receipts, always enforce docType=purchase and include "isReceipt": true in the JSON body. Since holdedcli validates against Holded's schema (which doesn't include isReceipt), you must use --skip-validation flag.
  • Ask for explicit user confirmation every time before any write action.
  • Do not execute writes on ambiguous replies (ok, go ahead, continue) without clarification.
  • Repeat the exact command before confirmation to avoid unintended changes.
  • If the user does not confirm, stop and offer payload adjustments.

Mandatory Confirmation Protocol

Before any write action, show:

  1. Holded action (action_id or operation_id).
  2. Method and endpoint.
  3. --path, --query, and body parameters (--body or --body-file).
  4. The exact command to run.

Use this format:

This operation will modify data in Holded.
Action: \x3Caction_id> (\x3CMETHOD> \x3Cendpoint>)
Changes: \x3Cshort summary>
Command: holded actions run ... --json
Do you confirm that I should run exactly this command? (reply with "yes" or "confirm")

Execute only after an explicit affirmative response.

Execution Pattern

Read Operations

  1. Locate the action with holded actions list --json (use --filter).
  2. Verify accepted path/query/body parameters with holded actions describe \x3Caction> --json.
  3. Run holded actions run \x3Caction> ... --json.
  4. Return a clear summary and relevant IDs for follow-up steps.

Write Operations

  1. Locate and validate the action.
  2. Run holded actions describe \x3Caction> --json to verify required/optional parameters.
  3. Prepare the final payload.
  4. If creating a purchase receipt/ticket, verify docType=purchase and "isReceipt": true, and use --skip-validation flag.
  5. Request mandatory confirmation.
  6. Run the command after confirmation.
  7. Report result (status_code, affected ID, API response).

Base Commands

holded auth set --api-key "$HOLDED_API_KEY"
holded auth status
holded ping --json
holded actions list --json
holded actions list --filter contacts --json
holded actions describe invoice.get-contact --json
holded actions run invoice.get-contact --path contactId=\x3Cid> --json

For long payloads, prefer --body-file:

holded actions run invoice.update-contact \
  --path contactId=\x3Cid> \
  --body-file payload.json \
  --json

Purchase receipt rule (mandatory for purchase tickets):

holded actions describe invoice.create-document --json
holded actions run invoice.create-document \
  --path docType=purchase \
  --body '{"isReceipt": true, "date": 1770764400, "contactId": "\x3CcontactId>", "items": [{"name": "Description", "units": 1, "subtotal": 29.4, "tax": 0}]}' \
  --skip-validation \
  --json

Important notes:

  • Use --skip-validation flag because holdedcli validates against Holded's schema which doesn't include isReceipt.
  • Use subtotal in items (not price) - this is the field name Holded's API expects.
  • Timestamps must be in seconds (Unix epoch) and in Europe/Madrid timezone.

Timestamp calculation (Python):

from datetime import datetime, timezone, timedelta
# For 11/02/2026 00:00 in Madrid:
dt = datetime(2026, 2, 11, 0, 0, 0, tzinfo=timezone(timedelta(hours=1)))
print(int(dt.timestamp()))  # 1770764400

Accounting Rules for Spain

⚠️ ALWAYS check these rules BEFORE creating any expense document:

Expense Type IVA Deductible Expense Deductible Account
Restaurants/Meals ❌ No ✅ Yes (with justification) 629
Displacement ❌ No ✅ Yes 629
Fuel ⚠️ Mixed ✅ Yes 625/622
Office supplies ✅ Yes ✅ Yes 600/602
Insurance ⚠️ Mixed ✅ Yes 625

Before creating any document, ALWAYS verify:

  1. Is the expense tax deductible?
  2. Is the IVA deductible? (usually NO for restaurants, displacement)
  3. If in doubt, ASK before creating the document.

Common mistake to avoid: Never set tax: 10 or tax: 21 for restaurant expenses - IVA is NOT deductible for meals unless it's a business event with proper justification.

Error Handling

  • If MISSING_API_KEY appears, configure API key through --api-key, HOLDED_API_KEY, or holded auth set.
  • If ACTION_NOT_FOUND appears, list the catalog and search with --filter.
  • If INVALID_BODY appears, validate JSON before execution.
  • If API_ERROR appears, report status_code and the API snippet.

References

  • Read {baseDir}/references/holdedcli-reference.md for quick commands and criteria.
  • Use dynamic action discovery and parameter inspection via:
    • holded actions list --json
    • holded actions describe \x3Caction> --json
Usage Guidance
This skill appears to do what it claims, but check a few things before installing or enabling it: 1) Verify the Homebrew tap (jaumecornado/tap) and that you trust its author/source before running brew tap/install; third‑party taps can install arbitrary binaries. 2) Keep your HOLDED_API_KEY secret and only inject it when you trust the environment. 3) Understand that the skill recommends using --skip-validation and adding an undocumented field ("isReceipt") to create some purchase receipts — this bypasses client validation and can create records that may be invalid or unexpected if used incorrectly; rely on the mandatory confirmation flow and review payloads carefully. 4) The skill reads local holdedcli config (~/.config/holdedcli/config.yaml) as a credential source if present — be aware that local CLI config may be used. 5) Because the skill is instruction‑only, there are no embedded code files to audit, so your main exposure is the installed holded binary; validate that binary's provenance.
Capability Analysis
Type: OpenClaw Skill Name: holded-skill Version: 0.2.3 The skill bundle is designed with robust safety protocols, particularly for write operations. The `SKILL.md` actively mitigates prompt injection risks by mandating explicit user confirmation for all data modifications, repeating commands for verification, and rejecting ambiguous replies. While the `--skip-validation` flag is used in a specific scenario (`isReceipt` for purchase receipts), it is explicitly justified as a workaround for a schema mismatch and is accompanied by instructions to enforce specific values, demonstrating an intent for controlled use rather than malicious bypass. There is no evidence of data exfiltration, backdoors, or other malicious intent.
Capability Assessment
Purpose & Capability
Name/description, required binary ('holded'), primaryEnv (HOLDED_API_KEY), and the brew install for a holded CLI are coherent with a skill that drives the Holded API via the holdedcli tool. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
SKILL.md stays within the Holded CLI domain: it instructs discovery (actions list/describe), uses holded actions run for reads/writes, and enforces explicit confirmation before writes. One notable behavior: it requires using --skip-validation and forcing an undocumented field ("isReceipt") for purchase receipts — this bypasses client-side validation and can lead to creating payloads that the CLI would otherwise reject. That is coherent with the skill's stated workaround but increases risk if misused, so the agent's mandatory confirmation protocol is appropriate.
Install Mechanism
Install spec uses a Homebrew formula from jaumecornado/tap (brew tap jaumecornado/tap; brew install holded). Homebrew is a common install mechanism, but this is a third‑party tap (not Homebrew/core). Installing from a personal tap carries more trust risk than an official release channel; verify the tap/author before installing.
Credentials
Only the Holded API key (HOLDED_API_KEY) is declared as the primary credential, which matches the skill's need to authenticate to Holded. The documentation mentions possible alternative credential sources (~/.config/holdedcli/config.yaml), but no extra or unrelated secrets are requested.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide settings. It is instruction-only (no code files executed by the skill itself) and relies on the holded binary; normal agent autonomy settings apply.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install holded-skill
  3. After installation, invoke the skill by name or use /holded-skill
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.3
Added mandatory accounting rules check before creating documents. Added section with deductibility rules for Spain (IVA deductible for restaurants = NO)
v0.2.2
Fixed timestamp in purchase receipt example (was 2025, now 2026). Added timestamp calculation example for Europe/Madrid timezone.
v0.2.1
Fixed purchase receipt creation: added --skip-validation flag and clarified that items use 'subtotal' instead of 'price'
v0.2.0
Version 0.2.0 - Clarified that `holded actions describe <action> --json` must always be run before any operation. - Added mandatory rules for creating purchase receipts: require `docType=purchase` and `"isReceipt": true` in the payload. - Updated execution pattern and examples to reflect stricter purchase receipt handling. - Improved language for parameter validation, safety steps, and confirmation protocols. - Minor adjustments for clearer and more concise documentation.
v0.1.1
- Expanded the operational flow and safety rules to require `holded actions describe <action-id>` before running commands, ensuring parameters and endpoints are always verified. - Updated execution patterns to emphasize action discovery and parameter inspection with `holded actions list` and `holded actions describe`. - Adjusted example commands to include `holded actions describe`. - Clarified that both `holded actions list` and `holded actions describe` must precede execution, especially for write operations. - Documentation improvements for better clarity and stricter safety validation.
v0.1.0
Initial release of holded-skill — safely interact with Holded ERP via holdedcli. - Enables reading, searching, creating, updating, and deleting Holded entities directly from the terminal. - Implements strict safety protocol: explicit user confirmation required before any write (POST, PUT, PATCH, DELETE) operation. - Details operational flow, prerequisite checks, and confirmation procedures for all actions. - Provides clear patterns for both read and write workflows, including structured `--json` outputs. - Includes error handling and reporting for API key, action lookup, and payload validation issues.
Metadata
Slug holded-skill
Version 0.2.3
License
All-time Installs 1
Active Installs 1
Total Versions 6
Frequently Asked Questions

What is Holded Skill?

Operate Holded ERP through holdedcli to read and update data safely. Use when the user asks to read, search, create, update, or delete Holded entities (conta... It is an AI Agent Skill for Claude Code / OpenClaw, with 663 downloads so far.

How do I install Holded Skill?

Run "/install holded-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Holded Skill free?

Yes, Holded Skill is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Holded Skill support?

Holded Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Holded Skill?

It is built and maintained by jaumecornado (@jaumecornado); the current version is v0.2.3.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments