ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Compliance Gap Filler

v1.0.0

Identifies and fills compliance control gaps across security frameworks like ISO 27001, NIST, and SOC 2.

0· 71·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and the included OpenAPI both describe a service that analyzes compliance gaps — that is coherent. However, the SKILL.md advertises an external API and commercial pricing but declares no authentication or credential requirements, which is unexpected for a paid API and worth clarifying.
!
Instruction Scope
Runtime instructions reference POST /fill-compliance-gaps and provide example requests/responses and external URLs (api.mkkpro.com, toolweb.in). That means the agent will send user-supplied control lists (potentially sensitive compliance data) to an external service; the skill does not document how data is authenticated, stored, or protected.
Install Mechanism
Instruction-only skill with no install spec or code files. This minimizes on-disk risk; there is no downloaded or executable payload.
!
Credentials
No env vars, credentials, or primary credential are declared, yet the SKILL.md references paid plans and third-party API endpoints that commonly require API keys. The absence of declared auth is disproportionate and ambiguous — the agent might send data without explicit credentials or guidance.
Persistence & Privilege
The skill is not always-enabled and has no install or config changes. It does not request elevated persistence or modify other skills.
Scan Findings in Context
[no_regex_findings] expected: The regex scanner found no code to analyze because this is an instruction-only skill (SKILL.md and openapi.json only). That is expected, but it means static analysis couldn't verify runtime network behavior.
What to consider before installing
This skill will direct an agent to send your compliance data to external endpoints (api.mkkpro.com / toolweb.in). Before installing or invoking it: 1) Confirm where network requests actually go and whether the API requires an API key; ask the author for authentication details and their privacy/TOS for stored data. 2) Do not send real/proprietary compliance evidence until you verify retention, access controls, and encryption. 3) Test with non-sensitive dummy data first. 4) If you need strict data control, prefer a self-hosted or internal tool that doesn't call unknown third parties. 5) If you allow the skill, consider restricting agent autonomy or monitoring outbound network calls so sensitive information isn't unintentionally transmitted.

Like a lobster shell, security has layers — review code before you run it.

latestvk978vafvdvx4jt5tf2awazqqs983b0km

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments