ClawHub

Fizzy

v1.0.0

Manages Fizzy boards, cards, steps, comments, and reactions. Use when user asks about boards, cards, tasks, backlog or anything Fizzy.

5· 1.6k·3 current·3 all-time
by@portavion
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name/description (manage Fizzy boards/cards) matches the runtime instructions that call a Fizzy CLI and require a token, account, and API URL — those capabilities make sense for the stated purpose.
Instruction Scope
SKILL.md instructs installing a CLI and setting environment variables or a config file (~/.config/fizzy/config.yaml). It does not appear to direct the agent to read unrelated system files or exfiltrate arbitrary data, but it does reference a specific user config path that the registry metadata did not declare.
Install Mechanism
Installation is via Homebrew from the robzolkos/fizzy-cli tap. Homebrew is a standard mechanism, but this is a third‑party tap (not an official, widely‑known namespace) which increases risk compared to an official release host. Also, install instructions are macOS‑oriented while the skill metadata lists no OS restriction.
!
Credentials
SKILL.md requires FIZZY_TOKEN, FIZZY_ACCOUNT, FIZZY_API_URL (and optionally FIZZY_BOARD) and a config file path, but the registry metadata lists no required environment variables or config paths. That mismatch is a meaningful inconsistency: the skill will need sensitive credentials that were not declared in its metadata.
Persistence & Privilege
This is an instruction‑only skill with no install spec baked into the registry and always:false. It does not request elevated or permanent platform privileges in the metadata.
What to consider before installing
This skill appears to genuinely manage Fizzy boards, but there are mismatches you should resolve before trusting it. SKILL.md asks you to install a third‑party Homebrew tap and to provide a personal API token, account slug, and API URL (or put them in ~/.config/fizzy/config.yaml). However, the registry metadata does not declare those required environment variables or config paths. Before installing or providing credentials: 1) Verify the Homebrew tap owner (robzolkos) and inspect the fizzy-cli source code or formula to ensure it is legitimate. 2) Prefer creating a least‑privilege token (read/write scope minimized) and avoid putting long‑lived secrets in global shell profiles; use a session‑scoped export or a restricted config file. 3) Confirm the API URL is the intended service (self‑hosted endpoint) to avoid accidentally sending data to an attacker-controlled host. 4) If you cannot verify the tap/source, run the CLI in an isolated environment (container, throwaway VM) or decline installation. The metadata inconsistency is the main reason for caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b787evs7n3821kc1zmhms0d7z8hdt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments