Skillv1.0.2

ClawScan security

Gdpr Compliance Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 16, 2026, 3:10 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it legitimately requires a ToolWeb API key and curl to call the ToolWeb GDPR assessment API, but using it will send organizational/compliance data to a third-party service and incur billing — review privacy and billing before enabling.
Guidance: This skill sends the organization's answers (company size, data processing activities, counts, control flags, etc.) to an external API (portal.toolweb.in) and tracks calls for billing. Before installing: (1) Verify ToolWeb's privacy policy and whether sending the specific details you plan to provide is acceptable; (2) Restrict and monitor the TOOLWEB_API_KEY, avoid storing highly sensitive raw personal data in requests, and test with non-sensitive examples first; (3) Expect billing after the free trial and confirm pricing; (4) Be aware the skill forbids local fallbacks — if the API is down you will not get an assessment from the agent. If you need offline/local assessments or want to avoid third-party data transfer, do not enable this skill.

Purpose & Capability: okThe name/description (GDPR assessment) aligns with the declared requirements: a single TOOLWEB_API_KEY and curl to call portal.toolweb.in. The requested credential and binary are proportionate to the stated goal.
Instruction Scope: noteSKILL.md explicitly requires gathering structured organization and processing details and always calling the ToolWeb API to produce results. That is within scope for a hosted assessment service, but it means potentially sensitive organizational data and high-level data-processing details will be transmitted to the external API and the skill forbids generating answers from local knowledge.
Install Mechanism: okInstruction-only skill with no install spec and no code files—lowest install risk. It relies on curl being present on PATH; nothing is written to disk by the skill itself.
Credentials: okOnly one environment variable is required (TOOLWEB_API_KEY) and it is declared as the primary credential. No unrelated secrets, config paths, or excessive environment access are requested.
Persistence & Privilege: okSkill is not marked always:true and does not request persistent system-level privileges or modify other skills. It will run only when invoked.