ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Forms iOS

v1.0.2

Google Forms API integration with managed OAuth. Create forms, add questions, export responses to Excel, and summarize response data. Use this skill when use...

0· 77·0 current·0 all-time
by@dfaaa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims Google Forms integration and the instructions implement that via a third‑party API (gformsfree.com). Requiring a single API key for that service is coherent, but the skill is not using Google’s public endpoints directly — it relies on a proxy/managed‑OAuth service. This is plausible but worth noting.
Instruction Scope
SKILL.md instructs the agent to always run an auth check and then call gformsfree.com endpoints for create/list/export/summary. It does not read other files or env vars beyond GFORMS_API_KEY. Two minor inconsistencies: the top text says “API key optional — skill will guide users,” but the commands are labelled as requiring GFORMS_API_KEY; and the skill mandates outputting a verbatim onboarding message when unauthorized (this is unusual but not inherently malicious).
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk and no external binaries are installed. This is the lowest install risk.
Credentials
Only one environment variable (GFORMS_API_KEY) is required, which is proportional to a service that uses an API key. However, that key will be sent to a third‑party domain (auth.gformsfree.com and api.gformsfree.com). The skill explicitly forbids exposing the key in messages, but users should understand they are delegating access to their Google Forms to the gformsfree.com service.
Persistence & Privilege
The skill does not request permanent/always inclusion and does not modify other skills or system configs. It uses normal autonomous invocation (platform default), which is expected for skills.
Assessment
This skill appears to be a coherent wrapper around a third‑party Forms service (gformsfree.com) rather than direct calls to Google's API. Before installing or setting GFORMS_API_KEY, verify the reputation and privacy policy of gformsfree.com and the associated app (https://gformsfree.com/app). Understand that giving an API key to this service grants it the ability to access and manage your Google Forms via its managed OAuth. If you need enterprise or sensitive‑data handling, prefer using official Google APIs or an approved provider. Also: check that the onboarding URL and API host are legitimate and match what you expect, and avoid using the skill with highly sensitive forms until you trust the third‑party service.

Like a lobster shell, security has layers — review code before you run it.

latestvk9772z2cmbgfe55gvjw8h788gn83gb3x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
EnvGFORMS_API_KEY

Comments