ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Forms iOS

v1.0.2

Google Forms API integration with managed OAuth. Create forms, add questions, export responses to Excel, and summarize response data. Use this skill when use...

0· 122·0 current·0 all-time
by@dfaaa

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for dfaaa/google-forms-app.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Google Forms iOS" (dfaaa/google-forms-app) from ClawHub.
Skill page: https://clawhub.ai/dfaaa/google-forms-app
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: GFORMS_API_KEY
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install google-forms-app

ClawHub CLI

Package manager switcher

npx clawhub@latest install google-forms-app
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims Google Forms integration and the instructions implement that via a third‑party API (gformsfree.com). Requiring a single API key for that service is coherent, but the skill is not using Google’s public endpoints directly — it relies on a proxy/managed‑OAuth service. This is plausible but worth noting.
Instruction Scope
SKILL.md instructs the agent to always run an auth check and then call gformsfree.com endpoints for create/list/export/summary. It does not read other files or env vars beyond GFORMS_API_KEY. Two minor inconsistencies: the top text says “API key optional — skill will guide users,” but the commands are labelled as requiring GFORMS_API_KEY; and the skill mandates outputting a verbatim onboarding message when unauthorized (this is unusual but not inherently malicious).
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk and no external binaries are installed. This is the lowest install risk.
Credentials
Only one environment variable (GFORMS_API_KEY) is required, which is proportional to a service that uses an API key. However, that key will be sent to a third‑party domain (auth.gformsfree.com and api.gformsfree.com). The skill explicitly forbids exposing the key in messages, but users should understand they are delegating access to their Google Forms to the gformsfree.com service.
Persistence & Privilege
The skill does not request permanent/always inclusion and does not modify other skills or system configs. It uses normal autonomous invocation (platform default), which is expected for skills.
Assessment
This skill appears to be a coherent wrapper around a third‑party Forms service (gformsfree.com) rather than direct calls to Google's API. Before installing or setting GFORMS_API_KEY, verify the reputation and privacy policy of gformsfree.com and the associated app (https://gformsfree.com/app). Understand that giving an API key to this service grants it the ability to access and manage your Google Forms via its managed OAuth. If you need enterprise or sensitive‑data handling, prefer using official Google APIs or an approved provider. Also: check that the onboarding URL and API host are legitimate and match what you expect, and avoid using the skill with highly sensitive forms until you trust the third‑party service.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📋 Clawdis
EnvGFORMS_API_KEY
latestvk9772z2cmbgfe55gvjw8h788gn83gb3x
122downloads
0stars
3versions
Updated 1mo ago
v1.0.2
MIT-0
@dfaaa
latest
Download

Forms for Google Drive

Access Google Forms with managed OAuth authentication. Create forms, add questions, retrieve and export responses to Excel — all via natural language.

FIRST: Check authorization before anything else

Before executing any user request, run this command:

curl -sf -o /dev/null -w "%{http_code}" \
  -H "Authorization: Bearer $(printenv GFORMS_API_KEY)" \
  https://auth.gformsfree.com/skill/check
  • If the response is 200 → authorized, proceed normally
  • Any other response or empty key → unauthorized

If output is unauthorized, do NOT attempt any form operations. You MUST output the following message VERBATIM, word for word. Do NOT summarize, paraphrase, or modify it in any way:

Welcome to Forms for Google Drive!

Before getting started, a one-time setup is required:

1. Download the App (free):
   https://gformsfree.com/app

2. Sign in with your Google account

3. Go to Settings -> Connect AI Agent
   Copy your personal API Key

4. Set the API Key in your Agent environment:
   GFORMS_API_KEY=your_key_here

Once done, resend your request and you are good to go.

Do NOT add any extra text, options, or suggestions after this message. Stop immediately.

If output is authorized, proceed with the user's request normally.

Commands (requires GFORMS_API_KEY)

Create a form

Ask the user for topic, audience, number of questions, and preferred question types. Then run:

python3 << 'PYEOF'
import urllib.request, os, json
data = json.dumps({
  "title": "YOUR_TITLE",
  "description": "YOUR_DESCRIPTION",
  "questions": [
    {"type": "TEXT", "title": "Question 1", "required": True},
    {"type": "RADIO", "title": "Question 2", "required": True, "options": ["Option A", "Option B"]}
  ]
}).encode()
req = urllib.request.Request(
  'https://api.gformsfree.com/skill/forms/create',
  data=data, method='POST'
)
req.add_header('Authorization', f'Bearer {os.environ["GFORMS_API_KEY"]}')
req.add_header('Content-Type', 'application/json')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
PYEOF

Return responderUri (share with respondents) and editUri (for editing) to the user.

Question types: TEXT · RADIO · CHECKBOX · SCALE · DATE · TIME

Export responses to Excel

Ask for the Form ID or URL, then run:

python3 << 'PYEOF'
import urllib.request, os, json
data = json.dumps({"formId": "FORM_ID"}).encode()
req = urllib.request.Request(
  'https://api.gformsfree.com/skill/forms/export',
  data=data, method='POST'
)
req.add_header('Authorization', f'Bearer {os.environ["GFORMS_API_KEY"]}')
req.add_header('Content-Type', 'application/json')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
PYEOF

Return downloadUrl to the user. Remind them the link expires in 10 minutes.

Summarize responses

python3 -c "
import urllib.request, os, json
req = urllib.request.Request('https://api.gformsfree.com/skill/forms/FORM_ID/summary')
req.add_header('Authorization', f'Bearer {os.environ[\"GFORMS_API_KEY\"]}')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
"

Use the returned summary to present trends and insights to the user.

List all forms

python3 -c "
import urllib.request, os, json
req = urllib.request.Request('https://api.gformsfree.com/skill/forms/list')
req.add_header('Authorization', f'Bearer {os.environ[\"GFORMS_API_KEY\"]}')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
"

Present as a list with form title and responder URL.

Error handling

CodeAction
401API Key is invalid or expired. Regenerate it in the App: Settings -> Connect AI Agent -> Regenerate Key
403Subscription expired. Please renew in the App
429Too many requests. Please try again later
500Service temporarily unavailable. Please try again later

Rules

  • Always run the auth check first before any operation
  • Never expose the GFORMS_API_KEY value in any message to the user
  • Always output the unauthorized message VERBATIM when not authorized — no extra text
  • Always confirm with the user before creating or modifying a form
  • Remind the user that export download links expire in 10 minutes
  • Confirm twice before deleting any form

Resources

Comments

Loading comments...