ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kubernetes Network Policy Generator

v1.0.0

Evaluate and compare privacy solution vendors with a weighted scorecard across 12 criteria. Use when selecting privacy management software, comparing data pr...

0· 101·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill package is named and sluggified as a Kubernetes Network Policy Generator, but the SKILL.md, README, API endpoint, required env var (TOOLWEB_API_KEY), and workflow are all about a privacy solution/vendor scorecard. This naming/content mismatch is unexplained and suspicious: either a packaging error or intentional mislabeling. Other declared requirements (curl and TOOLWEB_API_KEY) are consistent with the scorecard functionality, but the name/slug inconsistency is a major red flag.
Instruction Scope
The instructions are explicit: gather organization and vendor inputs and POST them to https://portal.toolweb.in/apis/compliance/privacy-scorecard using X-API-Key. They do not instruct reading local files, other environment variables, or system config. Note: the skill will transmit user-provided organizational and vendor details (potentially sensitive) to a third-party endpoint — users should be aware that that data leaves their environment.
Install Mechanism
No install spec or code files are present; this is instruction-only and requires curl on PATH. That is the lowest-risk install mechanism because nothing is written to disk by the skill bundle itself.
Credentials
Only a single API credential (TOOLWEB_API_KEY) is required and is plausibly needed to call the ToolWeb API shown in the instructions. The requested environment access is minimal and proportionate — however, granting this key authorizes the external service to act on the user's behalf, so trust in the service is required.
Persistence & Privilege
The skill does not request always:true and has no config path requirements. It does not appear to modify other skills or system settings. Model/autonomous invocation is enabled (default) but that's normal and not in itself flagged here.
What to consider before installing
Do not install this skill until you resolve the naming mismatch. The SKILL.md and README clearly implement a privacy-scorecard that posts data to portal.toolweb.in and requires TOOLWEB_API_KEY, but the package name/slug suggests an unrelated Kubernetes tool. This could be a benign packaging mistake or an attempt to hide purpose. Before installing: 1) Verify the publisher and homepage (portal.toolweb.in) independently (company identity, TLS cert, contact info, privacy policy). 2) Confirm why the package is named 'k8s-network-policy-generator' — ask the publisher or check repo history. 3) If you proceed, test with non-sensitive dummy data and a limited-scope API key. 4) Prefer to create a revocable API key or scoped credentials and rotate/revoke them after testing. 5) If you cannot verify the origin or reason for the mismatch, avoid installing or exposing real organizational data to this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dmqx4832trj4j0q7vef51ps835w5w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
OSLinux · macOS · Windows
Binscurl
EnvTOOLWEB_API_KEY
Primary envTOOLWEB_API_KEY

Comments