ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Forms

v1.0.0

Create and deploy mobile-friendly forms with customizable fields, real-time validation, conditional logic, and integration options for various platforms.

2· 679·1 current·1 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (build/deploy forms) match the content: field types, validation, conditional logic, code samples, platform comparisons and integration examples. Nothing in the bundle asks for unrelated system access or secrets beyond the normal third‑party API keys expected for integrations.
Instruction Scope
SKILL.md and the included docs direct the agent to suggest fields, store templates/submissions under ~/forms/, and provide code/webhook examples. There are no instructions to read unrelated host files, harvest credentials, or exfiltrate data to unknown endpoints; external endpoints shown are typical integration targets (Zapier, Mailchimp, Slack, etc.).
Install Mechanism
No install spec and no code files executed at runtime (instruction-only). This minimizes risk because nothing is downloaded or written by the skill itself.
Credentials
The docs include many example environment variables and tokens (MAILCHIMP_API_KEY, HUBSPOT_TOKEN, DATABASE_URL, SESSION_SECRET, webhook URLs, etc.). These are examples for optional integrations/self-hosting and are not declared as required by the skill. Requiring many different service keys would be disproportionate, but here they are demonstration placeholders rather than mandatory requests.
Persistence & Privilege
The skill does not request persistent installation or elevated privileges; always:false and no modifications to other skill configs are suggested. Self-hosting instructions describe normal service environment variables (e.g., SESSION_SECRET) for users who choose to deploy.
Assessment
This skill is a documentation/guide bundle for building and deploying forms. Before using it: (1) understand examples showing API keys and webhook URLs are placeholders — only provide credentials to integrations you trust; (2) if you self-host, review docker-compose and DATABASE_URL/SESSION_SECRET values locally before running and use secret management (don't commit secrets to source control); (3) verify any webhook endpoints you configure (avoid sending submissions to unknown third-party URLs); (4) follow the security checklist in selfhosted.md (HTTPS, rate limiting, CSRF, file scanning) if you collect PII/PHI or handle payments; (5) if you want the agent to perform live integration actions, ensure you supply only narrowly scoped credentials and review every external call.

Like a lobster shell, security has layers — review code before you run it.

latestvk9718q2j0r9x4d46extdwm4w05814sz5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
OSLinux · macOS · Windows

Comments