Back to skill
Skillv1.0.2
ClawScan security
It Risk Assessment Tool · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 3:10 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it is an instruction-only wrapper that always calls the ToolWeb API using curl and a single TOOLWEB_API_KEY; it requests no unrelated credentials or installs and contains no hidden code, but it will transmit user-provided security posture data to an external service so consider privacy and trust of the vendor before enabling.
- Guidance
- This skill is coherent for its stated purpose, but installing it means you'll be sending details about your infrastructure, controls, and gaps to a third-party API (portal.toolweb.in) using the TOOLWEB_API_KEY. Before enabling: verify the vendor's reputation and privacy/TOS, test with non-sensitive/sample data, ensure the API key is scoped/rotatable, monitor API usage and billing, and avoid sending secrets or configuration files (only provide high-level maturity answers). If you need assessments kept exclusively in-house, do not use this skill.
Review Dimensions
- Purpose & Capability
- okName/description align with behavior: the skill gathers structured maturity inputs and forwards them to the ToolWeb API. Required items (curl and TOOLWEB_API_KEY) are exactly what an API-based assessment service would need.
- Instruction Scope
- noteSKILL.md explicitly requires ALWAYS calling the external API and instructs the agent not to answer from its own knowledge. This is coherent with the stated purpose, but it means all user-provided assessment data (potentially sensitive) is sent to portal.toolweb.in on every run. The instructions do not reference unrelated files, other env vars, or system paths.
- Install Mechanism
- okInstruction-only skill with no install spec or downloadable artifacts. No code is written to disk by the skill itself; risk from install mechanism is low.
- Credentials
- noteOnly a single API key (TOOLWEB_API_KEY) is required and declared as primaryEnv, which is proportional. However, that key grants access to an external assessment service; treat it as sensitive, use least-privilege if supported, and monitor/rotate it as needed.
- Persistence & Privilege
- okSkill does not request always:true and is not trying to alter other skills or system-wide settings. It operates only when invoked and requires no persistent installation privileges.