Skillv1.0.2

ClawScan security

Data Breach Impact Calculator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 16, 2026, 3:09 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it legitimately requires an API key and curl to call the ToolWeb API and its instructions align with its stated purpose, but it will transmit user-provided (potentially sensitive) breach details to a third-party endpoint and users should understand the privacy and billing implications before enabling it.
Guidance: This skill will send the breach assessment inputs you collect (industry, number/type of records, security posture, etc.) to https://portal.toolweb.in and use your TOOLWEB_API_KEY for authentication. Before installing: 1) Confirm you trust ToolWeb.in and review their privacy, security, and billing terms (especially for PHI/HIPAA regulated data); 2) Do not send identifiable patient/customer data unless you have a legal basis and the vendor supports required compliance (e.g., a BAA for HIPAA); 3) Prefer anonymized or synthetic data for initial tests; 4) Store the API key securely and restrict environment access; rotate keys periodically; 5) Be aware each successful call may be billable per README; monitor usage and rate limits; 6) Verify TLS (https) endpoint and vendor reputation if you plan to use this in production.

Purpose & Capability: okThe name/description (data breach cost calculator) matches the declared requirements: a single API key (TOOLWEB_API_KEY) and curl to call the ToolWeb API. Asking for an API key is expected for a proprietary analysis service.
Instruction Scope: noteSKILL.md explicitly instructs the agent to ALWAYS call the external API and to not answer from its own knowledge. The required input fields are limited to breach-related attributes (recordsAffected, dataSensitivity, industry, etc.). This is coherent, but it means the agent will send user-provided breach details (which can include PHI/PII) to portal.toolweb.in — a privacy risk that users must accept.
Install Mechanism: okInstruction-only skill with no install steps or code files. Lowest-risk install model; it relies on an existing curl binary.
Credentials: okOnly one environment variable (TOOLWEB_API_KEY) is required and it's clearly the primary credential used for the API call. No unrelated credentials or config paths are requested.
Persistence & Privilege: okalways:false and no system config modifications are requested. The skill does not demand permanent system presence or elevated privileges.