form2api
Security checks across malware telemetry and agentic risk
Overview
This skill is coherent with its stated purpose, but it captures authenticated browser traffic and extracts/caches session cookies, so it needs careful review before use.
Install or use this only if you are comfortable letting the agent inspect authenticated browser traffic and handle session cookies. Use a dedicated browser profile or test account, restrict it to sites you own or are authorized to automate, review the generated API calls before running them, and delete the /tmp form2api files and cookie cache afterward.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may record more than the single form submission you intended, including tokens, personal data, or internal API responses from the same page.
The injected browser script captures headers, bodies, and responses for network requests in the logged-in page. This is purpose-aligned, but broad enough to capture unrelated authenticated traffic and sensitive responses.
window.__capturedRequests.push({ type: 'fetch', url, method, requestHeaders, requestBody, responseStatus: result.status, responseBody, timestamp: Date.now() });Use it only in an isolated browser session or test account, close unrelated tabs, inspect captured requests before generating code, and avoid pages with unrelated sensitive activity.
Anyone or any script with access to the printed or cached cookie value may be able to call the site’s APIs as you during the cookie’s validity.
The workflow extracts, prints, and caches browser session cookies for the target site. Session cookies are high-impact credentials that can authorize actions as the logged-in user.
COOKIE=$(python3 <skill_dir>/scripts/extract_cookies.py <target_url>) echo $COOKIE Cookies are auto-cached in `/tmp/form_api_cookies/` for 1 hour.
Only run this against accounts and systems where you are authorized to automate actions, avoid privileged admin sessions, and delete cached cookies after use.
Sensitive form data and session material may remain on disk after the task and could be reused accidentally or exposed to other local processes/users depending on system permissions.
The skill persists raw captured requests, analyzed API data, and cookies under /tmp. These artifacts can contain sensitive request bodies, headers, responses, and session credentials.
Save the result to `/tmp/form_api_raw.json`. Structured result saved to `/tmp/form_api_analysis.json`. Cookies are auto-cached in `/tmp/form_api_cookies/` for 1 hour.
Review and remove /tmp/form_api_raw.json, /tmp/form_api_analysis.json, and /tmp/form_api_cookies/ after use; prefer non-production accounts and do not capture highly sensitive forms.