Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Compliance Checklist Gen
v1.0.0Generates industry-specific and region-specific compliance checklists to streamline regulatory adherence and audit preparation.
⭐ 0· 71·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description match the included SKILL.md and openapi.json: both describe an API that generates industry- and region-specific compliance checklists. That core purpose is coherent with the provided examples and endpoints. However, the registry metadata lists no homepage/source and the SKILL.md advertises external hosts (toolweb.in, api.mkkpro.com) that are not reflected in the registry provenance, which reduces trust.
Instruction Scope
The SKILL.md describes calling an external API (POST /generate-checklist at api.mkkpro.com / Kong route). It does not instruct reading local files or unrelated env vars, but it also does not declare how to authenticate, where exactly the base URL should come from, or any privacy/consent safeguards. The openapi.json and the JSON examples disagree in places (example shows JSON body/response; openapi uses application/x-www-form-urlencoded and an empty response schema). This ambiguity increases the chance the agent will send user-provided organizational context or sensitive details to an external service without clear constraints.
Install Mechanism
Instruction-only skill with no install spec and no code files. No binaries or archives will be downloaded or written to disk by an installer — lowest install risk.
Credentials
The skill declares no required environment variables or credentials, which is plausible for a public demo API. But SKILL.md references external API endpoints and commercial pricing (plans), suggesting a hosted service that may require keys not declared. Because authentication, telemetry, and privacy terms are not specified, any organization-specific inputs supplied could be transmitted to a third party. The lack of declared credentials or data handling guidance is disproportionate to the risk of sending potentially sensitive compliance context.
Persistence & Privilege
The skill is not always-included and uses default autonomous invocation settings. It does not request to modify other skills or system settings. No persistence or privileged system access is requested.
Scan Findings in Context
[no_regex_findings] expected: The static scanner found nothing — expected because this is an instruction-only skill with no code files. Absence of findings is not assurance of safety; the SKILL.md itself contains the runtime behavior (calling external APIs).
What to consider before installing
This skill appears to be a thin wrapper around an external hosted API (toolweb.in / api.mkkpro.com) with unclear provenance and inconsistent API documentation. Before installing or using it: (1) Do NOT send real or sensitive organizational data to it — test with non-sensitive dummy inputs first. (2) Ask the publisher for the exact base URL, authentication method, and a privacy/data-retention policy (who can access submitted data). (3) Verify the service's reputation (owner/site) or request a self-hostable/local alternative if you must process confidential compliance data. (4) Note the OpenAPI example/format mismatch — confirm expected request/response formats to avoid accidental data leaks. If you cannot verify the endpoint, credentials, and data handling, treat this skill as untrusted for real compliance workloads.Like a lobster shell, security has layers — review code before you run it.
latestvk97fsvzexkmm58m7dcfrqz5nfx83bjrx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.