ClawHub

A SecOps expert to handle security issues, ensure that protections are in place and collect evidence for security analysis. The Skill also contains skill integrity checks.

v1.0.0

Perform SecOps endpoint checks for EDR, Sysmon, updates, EVTX alerts, least privilege, network exposure, credential protection, vulnerabilities, weekly asses...

4· 2.1k·8 current·9 all-time
by@inaor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and instructions describe a Windows-focused SecOps/endpoint-assessment skill (EDR, Sysmon, EVTX, least-privilege, vuln checks). The required capabilities (PowerShell/WMI/EVTX access) are appropriate for the stated purpose. There are no unrelated environment variables or odd external dependencies declared.
!
Instruction Scope
Most instructions stay on-topic (read services, EVTX, registry, WMI). However the 'skill integrity' section instructs hashing 'other known skills' and storing those hashes — that explicitly reaches outside the skill's own scope and requires reading other skill files/configs. The SKILL.md also refers to 'attach summary or raise alert' and 'emit as event' without specifying where alerts/events should be sent (no SIEM/endpoint configuration variables), leaving unclear what external endpoints — if any — would receive data.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute. That minimizes installation risk (nothing is downloaded or installed by the skill itself).
Credentials
The skill does not request any environment variables or credentials (proportionate). Note: many of the recommended checks (reading EVTX, querying Defender, checking domain Kerberos/NTLM settings) require elevated privileges or domain visibility to perform fully; the skill does not document required privilege level or how credentials/privileged access are obtained.
!
Persistence & Privilege
The guidance to 'store hashes' and to re-hash other skills on each wake implies persistence and access to other skill files or agent storage. The skill metadata shows always:false, but the SKILL.md expects the skill to maintain state across wakes and access other skills' data — this crosses into modifying/reading other-skill areas and is underspecified (where is stored, who can read it, how long retained).
What to consider before installing
This skill's checks match a legitimate SecOps endpoint assessor, but two behaviors need clarification before installation: (1) The SKILL.md directs the agent to hash 'other known skills' and store those hashes — ask the publisher what file paths will be read, where hashes will be stored, and who can access them. (2) The skill says it will 'emit' events/alerts but provides no configuration for destinations (SIEM, webhook, telemetry) — ask where alerts go and whether any external endpoints will receive log or system data. Also be aware the checks require elevated privileges to be complete; run initially on a test host, confirm expected privilege model, and require explicit configuration for any external integrations. Given the source/homepage fields are inconsistent (SKILL.md lists securityjoes.com but registry/source is 'unknown' and homepage 'none'), verify publisher identity and prefer an audited release or approved internal source before using in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk978jfa21bq0j9vfewa2ghr6kd80eyb2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments