Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Email Header Analyser
v1.0.0Analyzes email headers to extract authentication, routing, and security metadata for threat detection and email forensics.
⭐ 0· 67·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and openapi describe an API-based email header analyzer and list external hostnames (api.mkkpro.com, toolweb.in). However the skill declares no servers in the OpenAPI, no install, and no required credentials. If this skill is expected to call a third‑party API, it should declare the server URL and any required API keys. The absence of those items is inconsistent with a hosted API integration.
Instruction Scope
The instructions describe accepting raw email headers and returning parsed forensic results. They do not instruct reading local files or env vars, which is good, but they implicitly direct the agent to use an external service (links and a Kong route are provided). That means sensitive email headers (containing IPs, addresses, possibly internal routing info) would be transmitted to the listed third parties. There is no privacy notice, no explicit consent step, and no guidance to avoid sending production-sensitive headers.
Install Mechanism
This is an instruction-only skill with no install spec or code — lowest disk/write risk. However, because it appears to rely on an external API, the security surface is runtime network calls rather than local installation. That makes network destination and authentication the primary risk vectors.
Credentials
The skill lists pricing plans (Free/Developer/Professional/Enterprise) which implies an API that likely requires keys or an account, yet requires.env and primary credential are empty. This omission is disproportionate: a hosted API integration should declare required credentials or clearly document how authentication is handled. The mismatch makes it unclear whether the skill will prompt users for credentials or silently transmit data.
Persistence & Privilege
always is false and there are no declared actions that modify other skills or system settings. The skill can be invoked autonomously by the agent (platform default), which increases risk only in combination with the other concerns above, but autonomy alone is not flagged.
What to consider before installing
This skill appears to be a thin API descriptor that points at third-party hosts (api.mkkpro.com, toolweb.in) but does not declare the server URL in OpenAPI or any required API keys. Before installing or using it: (1) confirm who operates the api.mkkpro.com/toolweb.in endpoints and read their privacy/security policy; (2) assume any header text you submit will be transmitted off‑host — email headers can contain PII and internal network information, so do not submit production or sensitive headers until you trust the endpoint; (3) ask the skill author to include the API server(s) in openapi.json, declare required credentials, and document how data is handled, retained, and protected; (4) if you need offline/local analysis, prefer a skill or tool that runs parsing code locally or provide your own self‑hosted endpoint; (5) test with synthetic headers first. If the author cannot provide clear hosting/authentication/privacy details, treat the skill as unsafe for sensitive data.Like a lobster shell, security has layers — review code before you run it.
latestvk97drznrmdf3yfzw7tqt82940983begk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.