Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
rizzforms
v1.0.0Create forms, configure webhook delivery, manage submissions, and generate embed HTML using the RizzForms API and bundled CLI. Use this skill whenever the us...
⭐ 0· 47·0 current·0 all-time
byBlair Anderson@blairanderson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to bundle a CLI for managing RizzForms and to perform form/webhook management via the RizzForms API, which is coherent with the description. However, the file manifest does not include the promised CLI at scripts/rizzforms (only SKILL.md and references/api.md are present). Additionally, the SKILL.md expects an admin API key and a config file path (~/.config/rizzforms/config) even though the registry metadata lists no required environment variables or config paths. The absence of the actual CLI binary/script in the bundle is a material inconsistency.
Instruction Scope
The runtime instructions tell the agent to run a bundled CLI, to chmod +x <skill-path>/scripts/rizzforms, and to read/set RIZZFORMS_API_KEY or ~/.config/rizzforms/config. Those instructions imply reading/writing environment and filesystem state and executing a script — but the package does not include that script. The instructions also direct the user to obtain an admin-scoped API key and to store signing secrets; those actions are appropriate for the stated functionality but grant wide access (create/update/delete forms, read submissions) and therefore require explicit declaration and care.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code in the manifest. That minimizes installation risk. The SKILL.md references a bundled CLI, but since it is absent there is no actual install to evaluate. If a future version includes a download/extract/install step, it should be inspected for source and host provenance.
Credentials
The skill needs an API key with the admin role (RIZZFORMS_API_KEY with prefix frk_). For full form creation and webhook management this is proportionate, but the registry metadata failed to declare this required environment variable. Requesting an admin-scoped key is sensitive — least-privilege (e.g., readonly or limited-scope keys) should be preferred when possible. The SKILL.md also references storing signing_secret, which is expected for webhook verification but must be protected.
Persistence & Privilege
The skill does not request always:true and does not declare any system-wide configuration changes. Instructions involve using an API key and possibly writing a config file under the user's home directory; that is normal for API clients but should be performed only after verifying the client code. Autonomous invocation is allowed by default (platform default) but is not combined with other high-privilege flags here.
What to consider before installing
Do not provide an admin API key or run any CLI until you verify where the CLI code actually comes from. Specific recommended steps: 1) Confirm the skill bundle includes the script at scripts/rizzforms before running chmod or executing it; if it is missing, ask the publisher why or obtain the CLI only from the official RizzForms release. 2) Prefer creating a least-privilege API key (readonly or custom-scoped) for evaluation instead of an admin key; only use an admin key if absolutely necessary and you trust the code. 3) If you get the CLI, inspect its contents (source) for unexpected network endpoints, telemetry, or attempts to read unrelated files. 4) Verify the domain names (forms.rizzness.com, www.rizzness.com) and the SSL/TLS certificates are legitimate. 5) Treat signing_secret and API keys like secrets — store them securely and rotate them if exposed. If the publisher cannot explain the missing CLI or provide source code for inspection, do not install or run the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk978rapwt6tq1ye5jra9dawy3583wqm8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.