ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hash Finder

v1.0.0

Crack and identify hashes by attempting to match them against known hash databases and common plaintext values.

0· 56·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a network-backed hash-cracking API (references to api.mkkpro.com and toolweb.in) and pricing tiers, but the skill declares no required credentials or environment variables. If the skill actually calls a paid or authenticated external service, missing credentials is an inconsistency. No homepage or verifiable owner information is provided (source unknown).
!
Instruction Scope
The instructions and OpenAPI schema describe a /crack-hash endpoint and provide example requests/responses; they imply the agent will send supplied hashes to an external service. The SKILL.md does not document privacy, retention, or whether hashes are sent to third parties. Sending password hashes or other sensitive material to an external API without clear policy is a privacy/exfiltration risk.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to be written to disk, which minimizes installation risk.
!
Credentials
No environment variables or credentials are declared even though the README mentions pricing and external service portals (portal.toolweb.in, hub.toolweb.in). Either the service is public/free (contradicted by pricing) or the skill omits required API keys — the omission is disproportionate and unexplained.
Persistence & Privilege
The skill does not request always:true, does not declare system config paths, and is user-invocable only. It does not request elevated or persistent privileges.
What to consider before installing
This skill will likely send any hashes you provide to external servers (toolweb.in / api.mkkpro.com). Before installing or using it: 1) Do not submit real user passwords or unsalted password hashes — test only with non-sensitive examples. 2) Ask the publisher for the API server URL, authentication requirements, and a privacy/retention policy. 3) Verify the service reputation (toolweb.in / mkkpro domains) and whether an API key is required (the SKILL.md lists pricing but the skill declares no credentials). 4) If you need offline cracking, prefer local tools (hashcat/john) rather than an unknown third-party API. If the publisher can confirm where requests go, whether keys are required, and provide a privacy statement, reassess; until then treat this as untrusted for sensitive data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bw4h306jpev877b3cv6z2z983897a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments