fizzy.do - have your agent read, understand and update your fizzy.do boards
v1.0.0Use the fizzy-cli tool to authenticate and manage Fizzy kanban boards, cards, comments, tags, columns, users, and notifications from the command line. Apply this skill when you need to list, create, update, or delete Fizzy resources or when scripting Fizzy workflows.
⭐ 1· 1.9k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a fizzy-cli wrapper to manage boards, cards, comments, tags, etc., which matches the skill name and description. However, the registry metadata lists no required environment variables or config paths while the SKILL.md explicitly refers to FIZZY_TOKEN, FIZZY_BASE_URL, FIZZY_ACCOUNT, FIZZY_CONFIG and a config file at ~/.config/fizzy/config.json. That mismatch (instructions expecting credentials/config but metadata claiming none) is an incoherence that should be clarified.
Instruction Scope
Instructions are narrowly scoped to running fizzy-cli commands for authentication and CRUD operations. They reference a local config file and environment variables, and include examples that upload local files (e.g., --image ./hero.png) — those are expected for this purpose but do give the skill a reason to read local files and the config. The instructions do not direct data to any unexpected external endpoint beyond the Fizzy base URL, but they do assume access to env vars and config which were not declared in registry metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which is low-risk from an install perspective. It does assume the fizzy-cli binary exists on PATH but does not attempt to download or install anything itself.
Credentials
The environment variable usage described in SKILL.md (FIZZY_TOKEN, FIZZY_BASE_URL, FIZZY_ACCOUNT, FIZZY_CONFIG) is proportionate to the stated purpose (auth and API endpoint configuration). The problem is that the registry metadata declared no required env vars or primary credential — so the skill may rely on secrets/config that the registry does not surface. That gap can lead to surprises or accidental exposure if users assume no credentials are needed.
Persistence & Privilege
The skill does not request persistent presence (always: false), does not include install-time scripts, and does not claim to modify other skills or system-wide settings. It appears to operate only by invoking fizzy-cli when used, which is appropriate for its purpose.
What to consider before installing
This skill appears to be a thin set of instructions for using an existing fizzy-cli tool. Before installing or enabling it: (1) confirm you trust the skill author/source and that you actually have the fizzy-cli binary installed; (2) expect the agent to use a Fizzy API token (FIZZY_TOKEN) and possibly read ~/.config/fizzy/config.json — provision a least-privileged token or test with a throwaway account; (3) be aware commands like `--image ./hero.png` will read and upload local files, so don't point it at sensitive files; (4) ask the publisher why the registry metadata lists no required env vars when SKILL.md references credentials/config, and get explicit instructions on where credentials will be stored and how they are used; (5) if you cannot verify those points, avoid enabling the skill or run it in an isolated environment.Like a lobster shell, security has layers — review code before you run it.
latestvk97fwwf8fdq9hrvdgwq7h3sg6n7ywvpk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.