Forms for Google Drive
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is consistent with a Google Forms integration, but it uses a third-party API key to access and export Google Forms data, so users should verify the provider and handle exports carefully.
This appears purpose-aligned for managing Google Forms. Before installing, make sure you trust the Forms for Google Drive app/API, understand that form responses may pass through that provider, keep the GFORMS_API_KEY secret, and review any create or export action before sharing resulting links.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with the API key may be able to access the connected Google Forms capabilities allowed by the provider.
The skill uses a delegated API key tied to Google Forms access. This is expected for the stated integration, but it is still account authority that should be treated as sensitive.
Access Google Forms with managed OAuth authentication... All requests require the API key in the Authorization header: Authorization: Bearer $GFORMS_API_KEY
Only install this if you trust the Forms for Google Drive provider, keep GFORMS_API_KEY private, and revoke or rotate it if the integration is no longer needed.
Form responses may include personal or business-sensitive information, and an exported link could expose that data if shared with the wrong recipient.
The skill routes Google Forms response data through an external provider and can return a temporary download link containing all responses for a form.
Generate a downloadable Excel file of all form responses... "downloadUrl": "https://api.gformsfree.com/skill/files/xxx.xlsx", "expiresIn": 600
Use exports only for intended forms, share download links carefully, and avoid exporting forms that contain highly sensitive data unless the provider is trusted.
The agent could create forms in the connected Google account when asked to do so.
The skill can create Google Forms in the connected account. This is purpose-aligned, but it is still a mutating action.
Create a new Google Form with questions in a single request. POST /forms/create
Confirm form titles, descriptions, and questions before allowing the agent to create a new form.
Users have less provenance information for evaluating the provider behind the Google Forms integration.
The registry metadata does not provide a source repository or homepage, while the skill depends on an external app/API provider.
Source: unknown; Homepage: none
Verify the app and API provider independently before connecting a Google account or storing the API key.