ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Forms

v1.0.0

Create and deploy mobile-friendly forms with customizable fields, real-time validation, conditional logic, and integration options for various platforms.

2· 702·1 current·1 all-time
byIván@ivangdavila
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (build/deploy forms) match the content: field types, validation, conditional logic, code samples, platform comparisons and integration examples. Nothing in the bundle asks for unrelated system access or secrets beyond the normal third‑party API keys expected for integrations.
Instruction Scope
SKILL.md and the included docs direct the agent to suggest fields, store templates/submissions under ~/forms/, and provide code/webhook examples. There are no instructions to read unrelated host files, harvest credentials, or exfiltrate data to unknown endpoints; external endpoints shown are typical integration targets (Zapier, Mailchimp, Slack, etc.).
Install Mechanism
No install spec and no code files executed at runtime (instruction-only). This minimizes risk because nothing is downloaded or written by the skill itself.
Credentials
The docs include many example environment variables and tokens (MAILCHIMP_API_KEY, HUBSPOT_TOKEN, DATABASE_URL, SESSION_SECRET, webhook URLs, etc.). These are examples for optional integrations/self-hosting and are not declared as required by the skill. Requiring many different service keys would be disproportionate, but here they are demonstration placeholders rather than mandatory requests.
Persistence & Privilege
The skill does not request persistent installation or elevated privileges; always:false and no modifications to other skill configs are suggested. Self-hosting instructions describe normal service environment variables (e.g., SESSION_SECRET) for users who choose to deploy.
Assessment
This skill is a documentation/guide bundle for building and deploying forms. Before using it: (1) understand examples showing API keys and webhook URLs are placeholders — only provide credentials to integrations you trust; (2) if you self-host, review docker-compose and DATABASE_URL/SESSION_SECRET values locally before running and use secret management (don't commit secrets to source control); (3) verify any webhook endpoints you configure (avoid sending submissions to unknown third-party URLs); (4) follow the security checklist in selfhosted.md (HTTPS, rate limiting, CSRF, file scanning) if you collect PII/PHI or handle payments; (5) if you want the agent to perform live integration actions, ensure you supply only narrowly scoped credentials and review every external call.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📝 Clawdis
OSLinux · macOS · Windows
latestvk9718q2j0r9x4d46extdwm4w05814sz5
702downloads
2stars
1versions
Updated 5h ago
v1.0.0
MIT-0
Linux, macOS, Windows
Iván@ivangdavila
latest
Download

Quick Reference

TopicFile
Field types by use casetypes.md
Platform comparisonsplatforms.md
Code generation (React, Flutter)code.md
Validation patternsvalidation.md
Integrations (webhooks, CRMs)integrations.md
Self-hosted optionsselfhosted.md

User Profile

<!-- Edit to customize form suggestions -->

Preferred Stack

<!-- react | flutter | vue | html | no-code -->

Primary Use Case

<!-- leads | surveys | applications | feedback | registration -->

Default Platform

<!-- google-forms | typeform | tally | heyform | code-only -->

Data Storage

Store form definitions and templates in ~/forms/:

  • templates — Reusable form definitions (JSON/YAML)
  • submissions — Collected responses (if self-hosted)
  • feedback — What converts well, what fails

Core Rules

  • Ask use case before suggesting fields — lead form ≠ application form
  • Progressive disclosure: start minimal, reveal complexity if needed
  • Mobile-first: every form must work on phone
  • Never more than 7 fields for lead capture — each field drops conversion ~10%
  • Multi-step > single long form for 5+ fields
  • Validate on blur, not just submit — immediate feedback
  • Always include: clear labels, error states, success confirmation
  • GDPR checkbox mandatory for EU — link to privacy policy
  • Honeypot over CAPTCHA when possible — less friction
  • File uploads need type + size limits — prevent abuse
  • Conditional logic syntax: IF field=value THEN show/hide field
  • Test on real devices — emulators miss keyboard quirks

Comments

Loading comments...