← 返回 Skills 市场
jaumecornado

Holded Skill

作者 jaumecornado · GitHub ↗ · v0.2.3
cross-platform ✓ 安全检测通过
663
总下载
0
收藏
1
当前安装
6
版本数
在 OpenClaw 中安装
/install holded-skill
功能描述
Operate Holded ERP through holdedcli to read and update data safely. Use when the user asks to read, search, create, update, or delete Holded entities (conta...
使用说明 (SKILL.md)

holded-skill

Use holdedcli to read and modify Holded data with a safe, repeatable workflow.

Operational Flow

  1. Confirm technical prerequisites.
  2. Discover available actions with holded actions list.
  3. Inspect the selected action with holded actions describe \x3Caction> --json.
  4. Classify the action as read or write.
  5. If it is a write operation, ask for explicit confirmation before execution.
  6. Run with --json and summarize IDs, HTTP status, and applied changes.

Prerequisites

  • Verify that the binary exists: holded help
  • Verify credentials: holded auth status or HOLDED_API_KEY
  • Prefer structured output whenever possible: --json

Safety Rules

  • ALWAYS check deductibility rules BEFORE creating any document. See "Accounting Rules for Spain" section below.
  • Treat any POST, PUT, PATCH, or DELETE action as write.
  • Treat any GET action (or HEAD when present) as read.
  • Before any operation, always run holded actions describe \x3Caction> --json (after holded actions list) to validate accepted parameters.
  • For purchase receipts, always enforce docType=purchase and include "isReceipt": true in the JSON body. Since holdedcli validates against Holded's schema (which doesn't include isReceipt), you must use --skip-validation flag.
  • Ask for explicit user confirmation every time before any write action.
  • Do not execute writes on ambiguous replies (ok, go ahead, continue) without clarification.
  • Repeat the exact command before confirmation to avoid unintended changes.
  • If the user does not confirm, stop and offer payload adjustments.

Mandatory Confirmation Protocol

Before any write action, show:

  1. Holded action (action_id or operation_id).
  2. Method and endpoint.
  3. --path, --query, and body parameters (--body or --body-file).
  4. The exact command to run.

Use this format:

This operation will modify data in Holded.
Action: \x3Caction_id> (\x3CMETHOD> \x3Cendpoint>)
Changes: \x3Cshort summary>
Command: holded actions run ... --json
Do you confirm that I should run exactly this command? (reply with "yes" or "confirm")

Execute only after an explicit affirmative response.

Execution Pattern

Read Operations

  1. Locate the action with holded actions list --json (use --filter).
  2. Verify accepted path/query/body parameters with holded actions describe \x3Caction> --json.
  3. Run holded actions run \x3Caction> ... --json.
  4. Return a clear summary and relevant IDs for follow-up steps.

Write Operations

  1. Locate and validate the action.
  2. Run holded actions describe \x3Caction> --json to verify required/optional parameters.
  3. Prepare the final payload.
  4. If creating a purchase receipt/ticket, verify docType=purchase and "isReceipt": true, and use --skip-validation flag.
  5. Request mandatory confirmation.
  6. Run the command after confirmation.
  7. Report result (status_code, affected ID, API response).

Base Commands

holded auth set --api-key "$HOLDED_API_KEY"
holded auth status
holded ping --json
holded actions list --json
holded actions list --filter contacts --json
holded actions describe invoice.get-contact --json
holded actions run invoice.get-contact --path contactId=\x3Cid> --json

For long payloads, prefer --body-file:

holded actions run invoice.update-contact \
  --path contactId=\x3Cid> \
  --body-file payload.json \
  --json

Purchase receipt rule (mandatory for purchase tickets):

holded actions describe invoice.create-document --json
holded actions run invoice.create-document \
  --path docType=purchase \
  --body '{"isReceipt": true, "date": 1770764400, "contactId": "\x3CcontactId>", "items": [{"name": "Description", "units": 1, "subtotal": 29.4, "tax": 0}]}' \
  --skip-validation \
  --json

Important notes:

  • Use --skip-validation flag because holdedcli validates against Holded's schema which doesn't include isReceipt.
  • Use subtotal in items (not price) - this is the field name Holded's API expects.
  • Timestamps must be in seconds (Unix epoch) and in Europe/Madrid timezone.

Timestamp calculation (Python):

from datetime import datetime, timezone, timedelta
# For 11/02/2026 00:00 in Madrid:
dt = datetime(2026, 2, 11, 0, 0, 0, tzinfo=timezone(timedelta(hours=1)))
print(int(dt.timestamp()))  # 1770764400

Accounting Rules for Spain

⚠️ ALWAYS check these rules BEFORE creating any expense document:

Expense Type IVA Deductible Expense Deductible Account
Restaurants/Meals ❌ No ✅ Yes (with justification) 629
Displacement ❌ No ✅ Yes 629
Fuel ⚠️ Mixed ✅ Yes 625/622
Office supplies ✅ Yes ✅ Yes 600/602
Insurance ⚠️ Mixed ✅ Yes 625

Before creating any document, ALWAYS verify:

  1. Is the expense tax deductible?
  2. Is the IVA deductible? (usually NO for restaurants, displacement)
  3. If in doubt, ASK before creating the document.

Common mistake to avoid: Never set tax: 10 or tax: 21 for restaurant expenses - IVA is NOT deductible for meals unless it's a business event with proper justification.

Error Handling

  • If MISSING_API_KEY appears, configure API key through --api-key, HOLDED_API_KEY, or holded auth set.
  • If ACTION_NOT_FOUND appears, list the catalog and search with --filter.
  • If INVALID_BODY appears, validate JSON before execution.
  • If API_ERROR appears, report status_code and the API snippet.

References

  • Read {baseDir}/references/holdedcli-reference.md for quick commands and criteria.
  • Use dynamic action discovery and parameter inspection via:
    • holded actions list --json
    • holded actions describe \x3Caction> --json
安全使用建议
This skill appears to do what it claims, but check a few things before installing or enabling it: 1) Verify the Homebrew tap (jaumecornado/tap) and that you trust its author/source before running brew tap/install; third‑party taps can install arbitrary binaries. 2) Keep your HOLDED_API_KEY secret and only inject it when you trust the environment. 3) Understand that the skill recommends using --skip-validation and adding an undocumented field ("isReceipt") to create some purchase receipts — this bypasses client validation and can create records that may be invalid or unexpected if used incorrectly; rely on the mandatory confirmation flow and review payloads carefully. 4) The skill reads local holdedcli config (~/.config/holdedcli/config.yaml) as a credential source if present — be aware that local CLI config may be used. 5) Because the skill is instruction‑only, there are no embedded code files to audit, so your main exposure is the installed holded binary; validate that binary's provenance.
功能分析
Type: OpenClaw Skill Name: holded-skill Version: 0.2.3 The skill bundle is designed with robust safety protocols, particularly for write operations. The `SKILL.md` actively mitigates prompt injection risks by mandating explicit user confirmation for all data modifications, repeating commands for verification, and rejecting ambiguous replies. While the `--skip-validation` flag is used in a specific scenario (`isReceipt` for purchase receipts), it is explicitly justified as a workaround for a schema mismatch and is accompanied by instructions to enforce specific values, demonstrating an intent for controlled use rather than malicious bypass. There is no evidence of data exfiltration, backdoors, or other malicious intent.
能力评估
Purpose & Capability
Name/description, required binary ('holded'), primaryEnv (HOLDED_API_KEY), and the brew install for a holded CLI are coherent with a skill that drives the Holded API via the holdedcli tool. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
SKILL.md stays within the Holded CLI domain: it instructs discovery (actions list/describe), uses holded actions run for reads/writes, and enforces explicit confirmation before writes. One notable behavior: it requires using --skip-validation and forcing an undocumented field ("isReceipt") for purchase receipts — this bypasses client-side validation and can lead to creating payloads that the CLI would otherwise reject. That is coherent with the skill's stated workaround but increases risk if misused, so the agent's mandatory confirmation protocol is appropriate.
Install Mechanism
Install spec uses a Homebrew formula from jaumecornado/tap (brew tap jaumecornado/tap; brew install holded). Homebrew is a common install mechanism, but this is a third‑party tap (not Homebrew/core). Installing from a personal tap carries more trust risk than an official release channel; verify the tap/author before installing.
Credentials
Only the Holded API key (HOLDED_API_KEY) is declared as the primary credential, which matches the skill's need to authenticate to Holded. The documentation mentions possible alternative credential sources (~/.config/holdedcli/config.yaml), but no extra or unrelated secrets are requested.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide settings. It is instruction-only (no code files executed by the skill itself) and relies on the holded binary; normal agent autonomy settings apply.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install holded-skill
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /holded-skill 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.2.3
Added mandatory accounting rules check before creating documents. Added section with deductibility rules for Spain (IVA deductible for restaurants = NO)
v0.2.2
Fixed timestamp in purchase receipt example (was 2025, now 2026). Added timestamp calculation example for Europe/Madrid timezone.
v0.2.1
Fixed purchase receipt creation: added --skip-validation flag and clarified that items use 'subtotal' instead of 'price'
v0.2.0
Version 0.2.0 - Clarified that `holded actions describe <action> --json` must always be run before any operation. - Added mandatory rules for creating purchase receipts: require `docType=purchase` and `"isReceipt": true` in the payload. - Updated execution pattern and examples to reflect stricter purchase receipt handling. - Improved language for parameter validation, safety steps, and confirmation protocols. - Minor adjustments for clearer and more concise documentation.
v0.1.1
- Expanded the operational flow and safety rules to require `holded actions describe <action-id>` before running commands, ensuring parameters and endpoints are always verified. - Updated execution patterns to emphasize action discovery and parameter inspection with `holded actions list` and `holded actions describe`. - Adjusted example commands to include `holded actions describe`. - Clarified that both `holded actions list` and `holded actions describe` must precede execution, especially for write operations. - Documentation improvements for better clarity and stricter safety validation.
v0.1.0
Initial release of holded-skill — safely interact with Holded ERP via holdedcli. - Enables reading, searching, creating, updating, and deleting Holded entities directly from the terminal. - Implements strict safety protocol: explicit user confirmation required before any write (POST, PUT, PATCH, DELETE) operation. - Details operational flow, prerequisite checks, and confirmation procedures for all actions. - Provides clear patterns for both read and write workflows, including structured `--json` outputs. - Includes error handling and reporting for API key, action lookup, and payload validation issues.
元数据
Slug holded-skill
版本 0.2.3
许可证
累计安装 1
当前安装数 1
历史版本数 6
常见问题

Holded Skill 是什么?

Operate Holded ERP through holdedcli to read and update data safely. Use when the user asks to read, search, create, update, or delete Holded entities (conta... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 663 次。

如何安装 Holded Skill?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install holded-skill」即可一键安装,无需额外配置。

Holded Skill 是免费的吗?

是的,Holded Skill 完全免费(开源免费),可自由下载、安装和使用。

Holded Skill 支持哪些平台?

Holded Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Holded Skill?

由 jaumecornado(@jaumecornado)开发并维护,当前版本 v0.2.3。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论