It Risk Assessment Tool
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill appears to be a straightforward paid ToolWeb API wrapper for IT risk assessments, but it sends security posture details to an external service and uses an API key-backed account.
This skill is reasonable if you intentionally want to use ToolWeb's hosted IT risk assessment service. Before installing, confirm you are comfortable sending security posture information to ToolWeb and with API calls consuming your plan or quota.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may consume paid ToolWeb API calls, and the agent is instructed not to provide a local fallback assessment if the API fails.
The skill mandates an external curl call for successful use and discloses that calls are tracked for billing. This is central to the skill's API-wrapper purpose, but users should understand that use can consume quota or incur costs.
**ALWAYS call the ToolWeb API endpoint using curl.** Do NOT answer from your own knowledge. ... Every successful API call is tracked for billing
Install and invoke it only if you want ToolWeb to perform the assessment; consider requiring confirmation before billable API calls.
Anyone able to run the skill with this environment variable can use the configured ToolWeb account's API access or quota.
The skill requires and uses a provider API key in the request header. This is expected for the service, but it is still account-backed credential use.
`TOOLWEB_API_KEY` — Get your API key from [portal.toolweb.in](https://portal.toolweb.in) ... -H "X-API-Key: $TOOLWEB_API_KEY"
Store the API key securely, avoid exposing it in logs or shared configs, and rotate it if it may have been disclosed.
The information sent may reveal weaknesses in the user's security posture to ToolWeb.
The workflow sends IT security maturity details, including access control, incident response, and vendor risk information, to an external provider endpoint.
POST https://portal.toolweb.in/apis/security/it-risk-assessment ... `access_mfa` ... `ir_plan` ... `vendor_monitoring`
Share only the level of detail needed for the assessment, avoid including secrets or highly specific infrastructure details, and review ToolWeb's privacy and retention terms.