v1.0.0

Fizzy

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:51 AM.

Analysis

Fizzy is coherent for managing Fizzy work items, but users should notice that it requires installing a third-party CLI and using a read/write Fizzy API token.

GuidanceInstall only if you trust the referenced Fizzy CLI and are comfortable giving it a Fizzy read/write token. Prefer a limited token/account or default board, protect any config file containing the token, and review requested create/update actions before allowing changes to important Fizzy data.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

brew install robzolkos/fizzy-cli/fizzy-cli

The runtime instructions depend on an external Homebrew-distributed CLI even though the registry says there is no install spec. Installing the CLI is central to the skill's purpose, but it is still a supply-chain dependency users should recognize.

User impactUsing the skill requires trusting the referenced Fizzy CLI package and its update channel.

RecommendationReview the Homebrew tap/package source before installing, keep it updated from a trusted source, and avoid installing it on systems where you cannot trust that package.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

Generate a new token with Read + Write permissions

The skill needs a Fizzy API token capable of both reading and changing account data. This matches the stated management purpose, but it grants meaningful authority over the user's Fizzy workspace.

User impactIf configured with a broad token, the skill can access and modify Fizzy boards, cards, comments, steps, and reactions available to that token.

RecommendationUse the least-privileged Fizzy token available, limit it to the intended account or board where possible, store it securely, and revoke it when no longer needed.