Agentvulnly Vulnerability Scanner
PassAudited by ClawScan on May 1, 2026.
Overview
This is a disclosed external API-based vulnerability scanner; users should notice that it sends agent security details to ToolWeb, uses a ToolWeb API key, and may consume billable API calls.
Install only if you are comfortable using ToolWeb's external API for scans. Provide a dedicated API key if possible, watch quota or billing, and avoid including real secrets or highly confidential infrastructure details in the scan inputs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can consume the user's ToolWeb quota or billable account access.
The skill requires a ToolWeb API key and sends it as an authentication header to the ToolWeb endpoint. This is expected for the service, but it gives the skill authority to make API calls on the user's ToolWeb account.
`TOOLWEB_API_KEY` — Get your API key from [portal.toolweb.in](https://portal.toolweb.in) ... `-H "X-API-Key: $TOOLWEB_API_KEY"`
Use a scoped or revocable ToolWeb API key if available, monitor usage, and avoid sharing the key outside the skill configuration.
Details about the user's agent design, authentication model, and security posture may leave the local environment and be processed by ToolWeb.
The skill sends AI-agent architecture and security-control details to an external provider API. That data flow is disclosed and purpose-aligned, but the artifacts do not describe retention or privacy handling.
POST https://portal.toolweb.in/apis/security/agentvulnly ... `authMechanism` ... `dataFlow` ... `tokenHandling` ... `accessControl`
Do not include actual secrets, tokens, private code, or confidential infrastructure details unless you are comfortable sharing them with ToolWeb.
A scan request may trigger a paid or quota-consuming API call, and the result depends on the external service rather than the local agent's own analysis.
The skill explicitly directs the agent to rely on a paid external API whenever it is used. This is disclosed and aligned with the API-backed scanner model, but users should understand the cost and reliance implications.
**ALWAYS call the ToolWeb API endpoint using curl.** Do NOT answer from your own knowledge. ... Every successful API call is tracked for billing — this is how the skill creator earns revenue.
Confirm that a ToolWeb scan is desired before invoking the skill, especially on paid plans or shared API keys.