rizzforms
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s form-management purpose is reasonable, but it asks for high-privilege RizzForms access while relying on a claimed bundled CLI that is not present in the reviewed package.
Before installing, confirm whether the missing `scripts/rizzforms` CLI is actually supplied and review it if present. Use a least-privileged RizzForms key, approve any form or webhook changes before they run, and treat submissions and webhook secrets as sensitive data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may try to run a missing or unreviewed helper while handling a powerful API key, making it unclear what code would actually manage the account.
The supplied metadata and manifest state that there are no code files and no install spec, so the referenced executable is absent from the reviewed package even though it is presented as the preferred way to handle authentication and API operations.
This skill includes a CLI at `scripts/rizzforms`. Use it instead of writing raw curl commands ... `chmod +x <skill-path>/scripts/rizzforms`
Do not rely on the claimed CLI unless the package actually includes it and its code is reviewable; otherwise use documented, explicit API calls and verify credential handling.
An admin key can create and update forms, manage webhooks, and read submissions; misuse could change the account or expose submitted data.
The skill clearly discloses use of a RizzForms credential, but it asks for an admin key and directs the agent to look in a local config file, which is high-privilege account access.
You need a RizzForms API key with the **admin** role ... Look for `RIZZFORMS_API_KEY` in the environment or `~/.config/rizzforms/config`.
Use the least-privileged key that fits the task, avoid sharing the key in chat or code, and revoke or rotate it if it is no longer needed.
A mistaken command could disable a form, remove webhook delivery, or rotate a secret used by an application.
The documented commands can change live form behavior and webhook configuration. They are purpose-aligned, but they are account-mutating operations.
`forms:update <token> --active false` ... `plugins:delete <token> <plugin_id>` ... `plugins:rotate <token> <plugin_id>`
Require explicit user confirmation before account-changing operations and verify the target form token and plugin ID.
Form submissions may contain personal or business-sensitive data, and that data will be delivered to the configured webhook endpoint.
Webhook delivery intentionally sends all submitted form fields and metadata to a configured external URL.
The webhook receives a JSON POST on each submission ... `ip`, `user_agent`, `referrer`, `data`: { `name`, `email`, `message` } ... RizzForms captures ALL form fieldsOnly configure trusted HTTPS webhook URLs, verify signature checking is implemented, and avoid collecting fields that are not needed.