ClawHub

JotForm

Security checks across malware telemetry and agentic risk

Overview

This is a coherent JotForm integration, but it uses a Maton API key/OAuth connection and can read or change forms and submissions, so users should review permissions before use.

This skill appears purpose-aligned and does not show hidden or destructive behavior. Before installing, make sure you trust Maton to proxy JotForm data, protect the MATON_API_KEY, choose the correct JotForm connection when multiple accounts exist, and carefully confirm any operation that creates, updates, or deletes forms, submissions, or webhooks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

Anyone or any agent using this key through the skill may be able to access the connected JotForm account's forms, submissions, and metadata.

Why it was flagged

The skill depends on a sensitive API key and managed OAuth access to a connected JotForm account.

Skill content
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Recommendation

Only install/use this if you trust the Maton/JotForm integration, keep the API key private, and revoke or delete connections when they are no longer needed.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

If the user approves the wrong action or target ID, forms, submissions, or webhooks could be changed or deleted.

Why it was flagged

The skill exposes create and delete operations for JotForm resources, which can change or remove user data.

Skill content
POST /jotform/user/forms ... DELETE /jotform/form/{formId} ... DELETE /jotform/submission/{submissionId}
Recommendation

Confirm the exact form, submission, or webhook before approving any create, update, or delete operation.

#
ASI07: Insecure Inter-Agent Communication
Medium
What this means

Form and submission data may pass through Maton's infrastructure as part of the integration.

Why it was flagged

JotForm requests and returned form/submission data are routed through a third-party proxy service.

Skill content
Maton proxies requests to `api.jotform.com` and automatically injects your API key.
Recommendation

Review Maton's trust, privacy, and account-connection controls before using this skill with sensitive form data.