NetPad - Build forms, workflows and manage MongoDB data
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate NetPad management helper, but it can use your NetPad credentials to change or delete data and alter access, so treat it like an admin tool.
Install this only if you want the agent to act as a NetPad admin/data helper. Use a least-privilege or test API key when possible, verify NETPAD_BASE_URL before use, review the npm CLI and marketplace packages you install, and require confirmation before delete, publish, export, or RBAC changes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with an admin-level key or login, the agent could change organization membership, roles, and access in NetPad.
This shows the skill operates with delegated NetPad credentials and can manage account privileges. That is expected for this NetPad admin purpose, but users should understand the account boundary and use least-privilege credentials.
Managing users/groups/roles (RBAC) ... Requires NETPAD_API_KEY for API, or `netpad login` for CLI.
Use a limited-scope or test NetPad credential where possible, and require explicit approval before RBAC or membership changes.
A wrong form or submission ID could cause unintended deletion or other account changes.
The wrapper exposes direct destructive API operations, including deleting forms and similarly deleting submissions. This is purpose-aligned for a management tool, but the script does not add an extra confirmation prompt.
api DELETE "/forms/${3:?Form ID required}"Confirm resource IDs, back up important data, and ask the agent to get approval before delete, publish, unpublish, or bulk-update actions.
Installing or updating the external CLI could introduce behavior outside the reviewed skill files.
The skill depends on an external npm CLI package that is not included in the reviewed artifacts and is not pinned here. This is normal for a CLI integration, but provenance and version trust matter.
node | package: @netpad/cli | creates binaries: netpad
Install @netpad/cli only from a trusted npm source, consider pinning a known-good version, and review marketplace plugins before installing them.
Exported submissions could expose customer, employee, or business information if copied into prompts, logs, or shared files.
The export command can pull bulk form submission data into the local output or agent context. That is expected for a submissions management tool, but submissions may contain personal or business-sensitive data.
api GET "/forms/${form_id}/submissions?pageSize=1000" | jq -r '.data[].data | @json'Export only the submissions needed, avoid including sensitive fields in agent conversations, and store exported data securely.