ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CVE Scanner

v1.0.0

Scan and identify Common Vulnerabilities and Exposures (CVEs) in software components and dependencies.

0· 67·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (CVE lookup) match the included OpenAPI manifest and SKILL.md. Requiring no local tools, files, or credentials is plausible for a simple remote CVE lookup service.
Instruction Scope
SKILL.md describes POST /scan-cve and gives request/response examples and usage guidance; it does not instruct the agent to read local files or environment variables. However, the document references external hosts (api.mkkpro.com, toolweb.in) and an API gateway — the instructions are ambiguous about which host/URL the agent should call and whether queries (which may contain sensitive package or repo identifiers) will be transmitted to that external service.
Install Mechanism
No install spec and no code files — this is instruction-only, so nothing is written to disk and no packages are pulled during install.
!
Credentials
The skill declares no required credentials or env vars, yet SKILL.md advertises a hosted API with paid plans and endpoint URLs. There is an inconsistency: a hosted/paid API typically requires API keys or authentication, but none are declared. Also, queries (package names, versions, possibly proprietary component identifiers) will be sent to an external service — this is expected for such a tool but is a privacy/telemetry risk that is not documented here.
Persistence & Privilege
always is false and the skill is user-invocable. There is no indication the skill requests persistent system presence or modifies other skills/config.
What to consider before installing
This skill appears to be an instruction-only wrapper for a hosted CVE lookup API (references to api.mkkpro.com and toolweb.in). Before installing or using it: (1) Confirm the exact endpoint(s) the skill will call (base URL, TLS), and whether it requires an API key or account; (2) Do not send sensitive or proprietary package/component identifiers until you confirm the vendor's privacy policy and data retention; (3) Verify costs and rate limits (the SKILL.md lists paid plans but gives no auth details); (4) If you need on-premise or offline scanning for sensitive code, prefer a tool that runs locally rather than sending queries to an unknown third party; (5) Ask the publisher for provenance (who operates api.mkkpro.com / toolweb.in) and a security/privacy statement. These clarifications would raise confidence; absence of them is why I mark the skill as suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97002b9h2xv61w1592tp2kvcn838r69

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments