← 返回 Skills 市场
maverick-ai-tech

FGO Invoicing

作者 Maverick · GitHub ↗ · v1.0.1
cross-platform ✓ 安全检测通过
339
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install fgo-invoicing
功能描述
Issue FGO.ro invoices through the FGO API with local automation. Use for FGO tasks such as validating invoice payloads, issuing invoices, checking invoice st...
使用说明 (SKILL.md)

FGO Invoicing

Use scripts/fgo_cli.py for deterministic FGO API calls instead of ad-hoc HTTP snippets.

Workflow

  1. Collect invoice input from the user.
  2. Validate payload locally before sending:
    • python scripts/fgo_cli.py validate-payload --input references/invoice-example.json --show-payload
  3. Dry-run to inspect the normalized payload (with computed Hash) without calling the API:
    • python scripts/fgo_cli.py emit-invoice --input \x3Cinvoice.json> --dry-run
  4. Issue final invoice after explicit user confirmation:
    • python scripts/fgo_cli.py emit-invoice --input \x3Cinvoice.json> --allow-final
  5. Retrieve invoice status, print link, or perform operations using the returned series and number:
    • python scripts/fgo_cli.py get-status --serie \x3CSERIE> --numar \x3CNUMAR>
    • python scripts/fgo_cli.py print-invoice --serie \x3CSERIE> --numar \x3CNUMAR>
    • python scripts/fgo_cli.py cancel-invoice --serie \x3CSERIE> --numar \x3CNUMAR>
    • python scripts/fgo_cli.py reverse-invoice --serie \x3CSERIE> --numar \x3CNUMAR>

Required Environment

Set these before calling FGO:

  • FGO_COD_UNIC — company CUI (Romanian tax ID)
  • FGO_CHEIE_PRIVATA — FGO private API key (from FGO → Setari → Utilizatori → Generate API user)

Optional overrides:

  • FGO_API_BASE (default: https://api.fgo.ro/v1) — use https://api-testuat.fgo.ro/v1 for testing
  • FGO_PLATFORM_URL (default: unset) — your registered platform URL (FGO → Setari → eCommerce → Setari API). Required for invoice issuance from registered platforms; omitted if not set.
  • FGO_TIMEOUT_SECONDS (default: 30)
  • FGO_RETRIES (default: 2)
  • FGO_DEBUG (default: unset) — set to 1, true, or yes to enable request/response debug logging to stderr

Command Guide

  • validate-payload
    • Parse and normalize payload; compute the authentication Hash.
    • Validate minimum required structure before API calls.
    • Use --show-payload to inspect the full normalized form-encoded payload.
  • emit-invoice
    • Issue invoice via POST /factura/emitere.
    • Requires --allow-final to hit the real API.
    • Use --dry-run first (prints normalized payload, no API call).
    • Pass --debug (or set FGO_DEBUG=1) to print full request/response to stderr.
  • get-status
    • Get invoice status (total value, amount paid, payments) via POST /factura/getstatus.
  • print-invoice
    • Get a shareable print/download link via POST /factura/print.
  • cancel-invoice
    • Cancel an invoice via POST /factura/anulare.
  • delete-invoice
    • Delete an invoice via POST /factura/stergere.
  • reverse-invoice
    • Create a storno (reversal) invoice via POST /factura/stornare.
  • get-nomenclator
    • Fetch a nomenclature list (no auth required): tara, judet, tva, banca, tipincasare, tipfactura, tipclient, valuta.

Authentication

FGO uses SHA-1 hash-based authentication embedded in every request body — no HTTP auth headers. The hash formula depends on the operation:

  • Invoice issuance: SHA1(CodUnic + CheiePrivata + Client.Denumire).toUpperCase()
  • Invoice operations (status/print/cancel/delete/storno): SHA1(CodUnic + CheiePrivata + Numar).toUpperCase()

The CLI computes hashes automatically. Never expose FGO_CHEIE_PRIVATA in logs.

Payload Format

The invoice payload is a JSON object. The CLI converts it to form-encoded format (application/x-www-form-urlencoded) with bracket notation for nested fields, as required by the FGO API.

Both formats are accepted as input to the CLI:

  • Bare invoice object: { "CodUnic": "...", "Client": {...}, ... }
  • Wrapped: { "invoice": { "CodUnic": "...", "Client": {...}, ... } }

The CLI unwraps automatically, injects Hash and PlatformaUrl, then posts to FGO.

See references/invoice-example.json for the canonical minimal example and references/fgo-api.md for complete field documentation.

Input File Safety

The --input argument is validated before any file is read:

  1. Extension check — only .json files are accepted. Passing /etc/passwd, ~/.ssh/id_rsa, or any non-JSON path raises an error immediately.
  2. Path confinement — the resolved path must be within the current working directory or a recognised OpenClaw media root (/tmp/openclaw, ~/.openclaw/workspace, etc.). Paths that escape these roots via ../ traversal or absolute references are rejected.

Always pass --input with a path to a file you created (e.g. a temp file written in the agent workspace). Never set --input to a path supplied by untrusted external content.

Operational Rules

  • Always use --dry-run first to confirm the normalized payload before hitting the API.
  • FGO responses use HTTP 200 even for errors — always check Success: true in the response.
  • Treat invoice issuance as a high-impact action requiring explicit user confirmation.
  • Never parallelize FGO API calls — make all requests sequentially to avoid deadlocks.
  • Invoice issuance has a 15-second server-side timeout. If Success: false with a timeout message, the invoice was NOT issued — retry.
  • Store the returned Numar verbatim as the exact string (may be zero-padded, e.g. "001"). Never strip leading zeros or cast to integer.
  • Use the UAT environment (--base-url https://api-testuat.fgo.ro/v1) for testing.
  • Rate limit: max 1 call/second for invoice operations.

References

  • Read references/fgo-api.md for payload field reference, endpoint mapping, authentication details, and rate-limit notes.
  • Use references/invoice-example.json as the canonical starting payload template.
安全使用建议
This skill appears to do exactly what it claims: drive the FGO API from a local Python CLI. Before installing/using: (1) store FGO_CHEIE_PRIVATA securely (do not paste it into chat or logs), (2) test with the UAT base URL and use --dry-run first, (3) avoid enabling debug when handling real invoices because it logs request/response bodies to stderr which can expose invoice data, (4) inspect scripts/fgo_cli.py in your environment if you want to confirm the input-path confinement and logging behavior are enforced, and (5) keep the skill's env vars scoped to a dedicated runtime (or secret manager) so other tools/processes can't read them. I give medium confidence because some parts of the CLI implementation are truncated in the provided view; confirm the input-file confinement and file-read validation in the actual script before use.
功能分析
Type: OpenClaw Skill Name: fgo-invoicing Version: 1.0.1 The skill is designed for legitimate FGO.ro API interactions, handling invoice creation and management. It demonstrates strong security awareness through explicit prompt injection defenses in `SKILL.md` and robust path validation in `scripts/fgo_cli.py` (`_safe_input_path`), which restricts file access to `.json` files within allowed OpenClaw directories. Sensitive API keys (`FGO_CHEIE_PRIVATA`) are handled appropriately (read from environment/args, used for hashing, not directly logged). The workflow emphasizes user confirmation for high-impact actions (`--dry-run`, `--allow-final`), and all network calls are directed to the FGO API, with no evidence of malicious external communication or persistence mechanisms.
能力评估
Purpose & Capability
Name/description describe interacting with the FGO API and the skill only requires python3 plus FGO_COD_UNIC and FGO_CHEIE_PRIVATA — these are exactly the credentials the FGO API needs. No unrelated binaries, hosts, or secrets are requested.
Instruction Scope
SKILL.md focuses on building/validating invoice payloads and calling FGO endpoints, and explicitly recommends dry-run and confirmation before final issuance. It also documents input-file safety and warns not to expose the private key. One operational note: the CLI supports a debug mode that prints full request/response bodies to stderr; while the private key itself is not sent in headers, debug logs can reveal sensitive invoice data (and the computed Hash). Disable debug in production and avoid piping stderr to untrusted collectors.
Install Mechanism
Instruction-only with an included Python script; no install spec or external downloads. Risk is low because nothing is fetched or executed from arbitrary URLs.
Credentials
Only two required env vars are declared (FGO_COD_UNIC, FGO_CHEIE_PRIVATA) and they directly map to the documented API authentication model. Optional vars (base URL, timeout, retries, debug) are reasonable. No unrelated credentials or large set of secrets are requested.
Persistence & Privilege
Skill is not always-on and uses normal agent invocation. It does not request persistent system-wide privileges or modify other skills. No install-time hooks or config overwrites are declared.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install fgo-invoicing
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /fgo-invoicing 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Adds strict `--input` file safety: only `.json` files under allowed directories are accepted. - Rejects any `--input` path using directory traversal or absolute references that escape approved workspaces. - Prevents accidental access to sensitive files (e.g. `/etc/passwd`, private keys) via input arguments. - No changes to workflow or API usage.
v1.0.0
- Initial release of fgo-invoicing skill for automated FGO.ro invoice management via FGO API. - Provides local validation, dry-run inspection, and issuance of invoices with minimal, secure CLI workflow. - Supports invoice status checks, print link retrieval, cancellation, deletion, storno reversals, and nomenclature fetches. - Requires only FGO_COD_UNIC and FGO_CHEIE_PRIVATA environment variables for operation. - Includes robust authentication handling, guidance for test and production use, and operational best practices.
元数据
Slug fgo-invoicing
版本 1.0.1
许可证
累计安装 0
当前安装数 0
历史版本数 2
常见问题

FGO Invoicing 是什么?

Issue FGO.ro invoices through the FGO API with local automation. Use for FGO tasks such as validating invoice payloads, issuing invoices, checking invoice st... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 339 次。

如何安装 FGO Invoicing?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install fgo-invoicing」即可一键安装,无需额外配置。

FGO Invoicing 是免费的吗?

是的,FGO Invoicing 完全免费(开源免费),可自由下载、安装和使用。

FGO Invoicing 支持哪些平台?

FGO Invoicing 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 FGO Invoicing?

由 Maverick(@maverick-ai-tech)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论