Back to skill
Skillv1.0.2
ClawScan security
Iso Compliance Gap Analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 3:10 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it is an API-backed ISO gap analysis tool that legitimately requires curl and a single TOOLWEB_API_KEY to call its external service; there are no surprising installs or extra credentials requested.
- Guidance
- This skill behaves as an API client: it will send organization-identifying information and assessment answers to https://portal.toolweb.in and requires a TOOLWEB_API_KEY (billing is tracked per call). Before installing, confirm you trust ToolWeb’s privacy and billing policies, avoid sending high-risk secrets or highly sensitive data, and store the API key in a least-privilege, private location (not a shared/global config). Consider testing with non-sensitive sample data first, verify how many calls your plan permits, and be prepared to rotate or revoke the API key if you stop using the skill.
Review Dimensions
- Purpose & Capability
- okThe name/description match the runtime requirements: the skill is instruction-only and explicitly calls ToolWeb's API to produce assessments. Requiring curl and an API key is proportional for an external-service gap-analysis capability.
- Instruction Scope
- noteThe SKILL.md mandates making a POST to https://portal.toolweb.in/apis/compliance/iso-gap-analysis with organization details and answers to 23 assessment questions. This is expected for an API-driven analysis, but it does mean potentially sensitive organizational data will be transmitted to the external service — the skill also forbids answering from the model's own knowledge and requires the API call for every assessment.
- Install Mechanism
- okThere is no install spec and no code files; the skill is instruction-only, so nothing is downloaded or written to disk by the skill itself. This is low-risk from an install/execution perspective.
- Credentials
- noteOnly one required environment variable (TOOLWEB_API_KEY) is declared and used as the primary credential, which is appropriate for the described API-based workflow. However, the API key grants the external service access to perform/bill requests on behalf of the agent, so it should be treated as a sensitive secret and scoped/stored appropriately.
- Persistence & Privilege
- okThe skill is not forced-always-active and does not request modification of other skills or system-wide settings. disable-model-invocation is false (normal), so the skill can be invoked by the agent when appropriate.