ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Digiforma

v1.0.0

Query Digiforma training management platform via GraphQL API. Use when asked about trainees, sessions, invoices, programs, trainers, or any training data.

0· 496·2 current·2 all-time
by@mibbou
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name and description match the instructions (query Digiforma GraphQL API). However, the SKILL.md explicitly requires a Bearer token via the environment variable DIGIFORMA_API_KEY while the registry metadata lists no required environment variables or primary credential — an incoherence between declared capabilities and what the skill actually needs.
!
Instruction Scope
The instructions stay within the stated purpose (building and POSTing GraphQL queries to https://app.digiforma.com/api/v1/graphql). They do not request system files or unrelated environment variables. The problem: the runtime instructions reference an environment variable (DIGIFORMA_API_KEY) that is not declared in the skill metadata, which could lead to accidental secret exposure if users are not warned.
Install Mechanism
Instruction-only skill with no install steps or code to write to disk. This is lower risk because nothing is downloaded or installed by the skill package itself.
!
Credentials
SKILL.md requires DIGIFORMA_API_KEY (a secret) but the skill's declared requirements list no environment variables or primary credential. The skill is therefore not transparently declaring the secret access it needs; this lack of declaration is disproportionate and a potential governance/privacy risk.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It is user-invocable and allows normal autonomous invocation (disable-model-invocation is false), which is the platform default and not itself a red flag here.
What to consider before installing
This skill appears to do what it claims (send GraphQL queries to Digiforma) but its metadata fails to declare the API key that the instructions require. Before installing: 1) Verify the skill publisher/source — no homepage or known owner is provided. 2) Do not provide your DIGIFORMA_API_KEY unless you trust the source; request that the skill metadata be corrected to list DIGIFORMA_API_KEY as a required credential. 3) If you must use it, create a least-privilege API token on Digiforma (scoped and revocable) and rotate it after testing. 4) Be aware queries can return sensitive trainee data (PII); consider restricting the agent's ability to run the skill autonomously (require manual invocation) or enforce network/egress controls. 5) Prefer HTTPS (the endpoint is HTTPS) and confirm the endpoint URL with Digiforma docs. If the publisher cannot justify the missing credential declaration or is unknown, treat the skill cautiously or avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk979mkwcart07pt3bs5x7b4xbh81q52h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎓 Clawdis

Comments