Emissor de Nota Fiscal Paulistana

Faturamento NFS-e SP (Emissão e Cancelamento de Notas Fiscais em São Paulo)

This package appears to implement the advertised São Paulo NFS-e flows, but review these points before installing or using it with real certificates: 1) The code expects a municipal certificate (.p12) and the NFSE_CERT_PASSWORD env var, but the skill metadata does not declare those — expect to provide a certificate file and a password. 2) SKILL.md instructs the agent to create/modify files (config.json, .env, tomadores.json, contador_rps.txt). If you don't want the agent writing files, do not allow the automated wizard; instead configure files manually. 3) The README advises putting the certificate password into a plaintext .env file — store secrets securely (restrict file permissions, or use a secrets manager) and remove the .env from backups/version control. 4) The SKILL.md references env.example which is not included; verify the setup steps and supply your own .env if needed. 5) The scripts create temp PEM files and write debug/response XML to disk — audit those files for sensitive content and ensure temporary files are removed and access-restricted. 6) Verify dependencies (requests, lxml, signxml, cryptography, python-dotenv) are installed in a controlled environment. Recommended safe steps: test in an isolated environment with a revoked/test certificate; inspect the code yourself (or with a developer) before adding a production certificate; restrict file permissions on the certificate and .env; and avoid letting the agent perform automatic writes if you prefer manual control. If you want, provide me with specific lines or behaviors to inspect further (e.g., confirm absence of external, unexpected network endpoints or detect any code paths that upload files to non-official hosts).

Type: OpenClaw Skill Name: nota-fiscal-paulistana Version: 1.0.0 The skill bundle is a legitimate tool designed for managing São Paulo municipal service invoices (NFS-e). It contains Python scripts (emitir_nfse.py, baixar_notas.py, etc.) that interact with the official government API (nfews.prefeitura.sp.gov.br) using standard SOAP and XMLDSig protocols. The SKILL.md instructions implement a user-friendly 'Wizard' for initial setup, which correctly emphasizes security by directing the user to store sensitive certificate passwords in a local .env file rather than sharing them in the chat. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found; the inclusion of ISSSaoPaulo.txt appears to be a non-executable reference to the ACBr open-source library.