NetPad - Build forms, workflows and manage MongoDB data
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: netpad Version: 1.0.0 The skill bundle is designed to manage NetPad forms, submissions, users, and RBAC via its API and CLI. The `SKILL.md` provides clear instructions and examples for interacting with the `netpad.io` service. The `scripts/netpad.sh` is a shell wrapper that uses `curl` and `jq` to perform API operations, correctly utilizing the `NETPAD_API_KEY` for authentication to the specified `netpad.io` domain. There is no evidence of data exfiltration, malicious execution (e.g., `curl|bash` from untrusted sources), persistence mechanisms, obfuscation, or prompt injection attempts against the agent to subvert its intended purpose. All actions are aligned with the stated goal of managing the NetPad service.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with an admin-level key or login, the agent could change organization membership, roles, and access in NetPad.
This shows the skill operates with delegated NetPad credentials and can manage account privileges. That is expected for this NetPad admin purpose, but users should understand the account boundary and use least-privilege credentials.
Managing users/groups/roles (RBAC) ... Requires NETPAD_API_KEY for API, or `netpad login` for CLI.
Use a limited-scope or test NetPad credential where possible, and require explicit approval before RBAC or membership changes.
A wrong form or submission ID could cause unintended deletion or other account changes.
The wrapper exposes direct destructive API operations, including deleting forms and similarly deleting submissions. This is purpose-aligned for a management tool, but the script does not add an extra confirmation prompt.
api DELETE "/forms/${3:?Form ID required}"Confirm resource IDs, back up important data, and ask the agent to get approval before delete, publish, unpublish, or bulk-update actions.
Installing or updating the external CLI could introduce behavior outside the reviewed skill files.
The skill depends on an external npm CLI package that is not included in the reviewed artifacts and is not pinned here. This is normal for a CLI integration, but provenance and version trust matter.
node | package: @netpad/cli | creates binaries: netpad
Install @netpad/cli only from a trusted npm source, consider pinning a known-good version, and review marketplace plugins before installing them.
Exported submissions could expose customer, employee, or business information if copied into prompts, logs, or shared files.
The export command can pull bulk form submission data into the local output or agent context. That is expected for a submissions management tool, but submissions may contain personal or business-sensitive data.
api GET "/forms/${form_id}/submissions?pageSize=1000" | jq -r '.data[].data | @json'Export only the submissions needed, avoid including sensitive fields in agent conversations, and store exported data securely.