Iso42001 Aims Readiness
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s main ISO 42001 API workflow is clear, but an included test script sends the API key with certificate checks disabled, so it should be reviewed before use.
The core skill appears to be a normal API-backed compliance assessment, but it sends your organization’s AI governance details to ToolWeb and may consume paid calls. Before installing, verify you trust the provider and API pricing. Avoid running scripts/test-api.sh unless it is fixed to use normal TLS certificate verification and the expected endpoint.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill sends assessment inputs to ToolWeb and may consume paid API quota.
The skill is designed around an external API call and discloses billing, which is purpose-aligned but important for users to understand before invoking it.
ALWAYS call the ToolWeb API endpoint using curl... Every successful API call is tracked for billing
Use it only when you intend to run the ToolWeb assessment, and confirm the API plan, quota, and data-sharing expectations.
If the helper script is run on an untrusted network or against an unexpected endpoint, the ToolWeb API key could be exposed or misused.
The test script sends the API key using curl's -k option, which disables TLS certificate verification; it also uses a different port/path than the endpoint documented in SKILL.md.
API_URL="https://portal.toolweb.in:8443/iso42001" ... curl -sk ... -H "X-API-Key: $TOOLWEB_API_KEY"
Do not run the helper script as-is. Remove the -k option, use the documented endpoint with valid TLS, and rotate the API key if it may have been exposed.