supportforge-api
v1.0.0AI-powered customer support automation using SupportForge API - customer support, help desk, ticket routing, auto-reply, automated responses, customer servic...
⭐ 0· 235·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly expects an API key and shows many API calls to https://supportforge.vosscg.com, which is coherent with the described SupportForge purpose. However, the registry metadata declares no primary credential or required env var for that API key. The skill therefore fails to declare the main secret it depends on, which is an inconsistency that affects how an agent/platform should provision and secure the key.
Instruction Scope
Instructions are instruction-only curl examples and user-flow steps (ask for email, create API key, store it, call endpoints). These stay within the described support-automation scope. However, the instructions direct the agent to send the user's email to an external domain to create a key and provide only vague guidance about where/how to store the API key ("Save the key securely"). That raises privacy/security concerns but is not intrinsically out-of-scope for a support API skill.
Install Mechanism
No install spec and no code files — the skill is instruction-only, so it doesn't write or execute code on disk. This is the lowest-risk install mechanism.
Credentials
The skill uses an API key extensively in examples but does not declare any required environment variables or a primary credential in the metadata. There is no guidance in the SKILL.md about a named env var, config path, or secure storage method. The absent declaration of the API key is a proportionality/visibility problem: the platform and user won't have a clear, auditable place to supply or protect the credential.
Persistence & Privilege
always is false and disable-model-invocation is not set; the skill does not request persistent or elevated platform privileges. It does not attempt to modify other skills or system-wide settings.
What to consider before installing
This skill appears to actually call an external SupportForge service and requires an API key, but the registry entry does not declare that credential or provide a vendor homepage. Before installing or using it: 1) verify the vendor and domain (supportforge.vosscg.com) and ask the publisher for a homepage or documentation; 2) request that the skill declare a primary credential or env var name so the platform can store the API key securely (avoid pasting keys into chat); 3) understand that the skill will send users' emails and ticket text to that external service — confirm that's acceptable for your privacy/compliance needs; 4) consider running it in a sandbox or with a throwaway account first; and 5) if you proceed, monitor network activity and rotate the API key if you stop using the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk978cmtqpayw94yvyhccpe2pas828a64
License
MIT-0
Free to use, modify, and redistribute. No attribution required.