ThinkForce
v1.1.0Dispatch tasks to your ThinkForce AI agents via REST API and poll for results easily without server setup or complex configuration.
⭐ 0· 97·0 current·0 all-time
by@ade5791
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The SKILL.md describes making REST calls to app.thinkforce.ai with an X-TF-API-Key header to list companies/agents, dispatch tasks, and manage missions — which matches the skill name and description. There are no declared binaries, installs, or unrelated credentials requested, so the capability set is proportionate to the stated purpose.
Instruction Scope
Runtime instructions are limited to performing HTTPS requests to app.thinkforce.ai, polling for task results, and handling mission/subtask endpoints. The instructions do not direct the agent to read local files, other credentials, system paths, or to send data to any other endpoints.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk and no third-party packages are fetched. That is the lowest-risk install posture.
Credentials
The skill requires an API key for ThinkForce (documented in SKILL.md as X-TF-API-Key) but the registry metadata declares no required environment variables or primary credential. That is not dangerous by itself, but it's an inconsistency: the skill will need the user's API key at runtime (provided via header or an env var they configure). Also note that any data sent to the third-party service will be visible to that service, so users should avoid sending sensitive secrets or PII.
Persistence & Privilege
Flags show no always:true and model invocation is allowed (the platform default). The skill does not request system-wide configuration changes or persistent privileges; it only documents how to call the remote API.
Assessment
This skill appears to do what it says: call ThinkForce's REST API using an X-TF-API-Key. Before installing, consider: 1) provenance — there is no homepage and the source is unknown, so verify you trust the publisher (ownerId is present but no URL or repo to inspect); 2) secrets — the skill requires a ThinkForce API key at runtime (SKILL.md documents it) even though the registry metadata doesn't list a required env var; store the key securely (do not hardcode it into prompts or public code) and consider using a platform secret store; 3) data sent to app.thinkforce.ai will be visible to that service — do not send sensitive PII or confidential data you wouldn't want shared; 4) rotate/revoke the API key if you stop using the skill or suspect compromise; 5) there is a minor metadata inconsistency (registry version 1.1.0 vs _meta.json version 1.0.0) — not a functional risk but worth noting. If you need higher assurance, ask the publisher for a homepage or repository link and a privacy/security policy before use.Like a lobster shell, security has layers — review code before you run it.
latestvk973mg3w5gcwgb7ags1mcr175d838hmp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.