Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
SupportForge
v1.0.0AI customer support via SupportForge API — ticket creation, auto-replies, routing, knowledge base search. Use when user needs customer support automation, ti...
⭐ 0· 291·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included behavior (ticket create, kb search, key signup). However the registry metadata declares no required env vars or primary credential while both SKILL.md and scripts clearly require SUPPORTFORGE_API_KEY or SUPPORTFORGE_EMAIL (and optionally SUPPORTFORGE_API_URL). That metadata omission is an inconsistency that could hide the fact this skill needs credentials.
Instruction Scope
SKILL.md and the script instruct the agent to POST user email or ticket payloads to https://anton.vosscg.com (or SUPPORTFORGE_API_URL). The script will auto-sign up by POSTing the provided email and then echo the returned api_key to stderr, which risks exposing the key in logs. The instructions do not ask for unrelated files, but they do send user email and support ticket content to an external, unverified host.
Install Mechanism
No install spec (instruction-only) and a small shell helper script are included. No downloads or archive extraction are performed by the skill package itself, which is low risk from an installation mechanics standpoint.
Credentials
Only an API key or email is needed for the described functionality, which is proportionate — but the skill metadata fails to declare these required env vars. The script also reads SUPPORTFORGE_API_URL if present. Requiring an email that will be POSTed to an external domain and printing API keys to stderr are privacy/credential-handling concerns.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistent privileges or modify other skills. Autonomous invocation is allowed (default) but is not combined with other high-risk properties here.
What to consider before installing
This skill appears to implement a customer-support API client, but there are several things to consider before installing: (1) the registry metadata does not list the required env vars (SUPPORTFORGE_API_KEY or SUPPORTFORGE_EMAIL and optionally SUPPORTFORGE_API_URL) — treat this omission as suspicious. (2) The bundle talks to and auto-signs up at anton.vosscg.com, a domain with no homepage or owner info in the registry entry; verify the vendor and confirm you trust that endpoint before sending real emails or API keys. (3) The included script prints any obtained API key to stderr ("✅ Free key: ..."), which can leak secrets into logs or agent traces — avoid using production credentials or set up an isolated/test account. (4) If you need this functionality, prefer providing a scoped API key (not your personal or high-privilege email/credentials) and consider contacting the vendor or examining network traffic to confirm no unexpected endpoints are used. If you want higher assurance, ask the publisher for provenance (homepage, source repo) or for the skill to declare required env vars in the manifest and to stop echoing secrets.Like a lobster shell, security has layers — review code before you run it.
latestvk97b47mtsg7rghfgf5kz2p2vas826dw2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.