Skillv0.2.0

ClawScan security

GateCrash Forms · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 15, 2026, 2:12 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements, install method, and runtime instructions align with a CLI-first form builder: it installs an npm CLI, runs that CLI via small wrapper scripts, and asks users to configure SMTP credentials locally — nothing here is disproportionate or covert.
Guidance: This skill appears coherent with its stated purpose, but take these practical precautions before installing or providing SMTP credentials: 1) Verify the npm package and author on the npm registry and GitHub link (review package contents and recent activity). 2) Inspect where the CLI stores configuration (so you know where SMTP credentials are written) and consider using an app-specific password or limited mailbox account rather than your main email credentials. 3) If you plan to expose the server publicly, review security settings (TLS, rate limits, CSRF implementation) and run the service in an isolated environment. 4) Note the small metadata/version mismatch in _meta.json vs. registry version — minor, but you may want to confirm you have the intended release. If you need higher assurance, review the gatecrash-forms source code before use.

Purpose & Capability: okName/description (form builder, BYOK) match the declared binaries (gatecrash-forms, node), the npm install of package gatecrash-forms, example schemas, and CLI wrapper scripts. Requested artifacts are appropriate for a self-hosted form generator.
Instruction Scope: okSKILL.md only instructs installing the CLI, generating forms, serving them, initializing a project, and configuring SMTP via the CLI. It does not direct the agent to read unrelated system files, exfiltrate data, or call unexpected external endpoints. Example commands and file paths are limited to the project (forms/, responses/).
Install Mechanism: okInstall is via the public npm package 'gatecrash-forms' (global install). This is a standard, traceable install method — no arbitrary download URLs or archive extraction are used in the skill metadata or SKILL.md.
Credentials: okThe skill declares no required environment variables and does not demand unrelated credentials. It documents storing SMTP credentials via the CLI (smtp.auth.user/pass), which is expected for an email-forwarding form tool. The skill does not request excessive or unrelated secrets.
Persistence & Privilege: okalways is false and the skill does not request permanent platform-level presence or modify other skills. It will install a CLI binary and store its own config (expected behavior for a CLI tool).