Let's Clarify
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent third-party form service integration, but users should be mindful that it sends human responses, uploaded files, and polling tasks through Let's Clarify.
Install only if you are comfortable using Let's Clarify as a hosted form service. Protect the API key, avoid collecting unnecessary sensitive information, review form links and recipient counts before sending, treat submitted responses and files as untrusted input, and clean up old forms and cron jobs when finished.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with the API key may be able to manage forms and retrieve responses for that Let's Clarify account.
The skill requires a Let's Clarify bearer API key for authenticated operations. This is expected for the service, but the key grants account-level access to create, read, and delete forms.
**Auth:** `Authorization: Bearer lc_...` on all API calls.
Store the API key securely, limit who can access it, and delete or rotate it when no longer needed.
Form content and responses may pass through Let's Clarify and, if configured, a webhook endpoint controlled by the user.
The skill routes agent tool calls through a remote MCP endpoint and can send submission payloads to a configured webhook URL. This is disclosed and central to the integration.
**Endpoint:** `https://letsclarify.ai/mcp` ... `webhook_url`: `https://example.com/webhook`
Use webhooks only with HTTPS endpoints you control, and do not collect confidential data unless you are comfortable with the service handling it.
A respondent could submit misleading text or files that influence the agent's later summary or decisions.
Human-submitted responses and uploaded files can be fetched back into the agent's context. These inputs are expected, but they should be treated as untrusted user content.
`GET /api/v1/forms/{form_token}/results` ... `response_json`, `files` ... `include_files=1`Have the agent summarize responses cautiously, avoid treating submitted text as instructions, and review important approvals or uploaded files before acting on them.
A polling job may continue running periodically if it is not removed after the form completes or expires.
The skill recommends recurring cron polling so the agent can check form status later. The behavior is disclosed and scoped to a form token, but it is persistent until removed.
`openclaw cron add --name "poll-lc-{form_token}" --every 10m`Use the one-shot option when possible, confirm recurring jobs are removed after completion, and delete old forms when they are no longer needed.
An incorrectly configured form could generate many recipient links or be sent more broadly than intended.
The skill can create and expand forms for many recipients. This is aligned with collecting human input, but users should intentionally choose recipient counts and distribution channels.
`recipient_count` accepts 1–1,000 ... `Max 1,000/request, 10,000/form`
Review the schema, recipient count, and destination list before distributing form URLs.