ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kubernetes Security Posture Scorecard

v1.0.0

Assess Kubernetes cluster security posture across 30 controls covering RBAC, workload security, network policies, IaC, runtime monitoring, and secrets manage...

0· 123·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description match the behavior in SKILL.md: the skill collects answers about 30 Kubernetes controls and calls an external scoring API. Requiring curl and an API key for portal.toolweb.in is proportionate to that purpose.
Instruction Scope
SKILL.md explicitly requires always calling the external ToolWeb API and instructs the agent not to generate a score locally. The instructions do not request kubeconfigs or cluster credentials, only metadata (cluster_name, environment, k8s_version, cloud_provider) and yes/no answers for controls; however, those inputs may still be sensitive (cluster identifiers, configuration choices). Confirm what exact fields the API receives and avoid sending secrets or kubeconfig data.
Install Mechanism
This is an instruction-only skill with no install step and no code files. That minimizes local installation risk — nothing is downloaded or written to disk by the skill itself.
Credentials
The only required environment variable is TOOLWEB_API_KEY, which is coherent with an external hosted API. Ensure the key is least-privileged, scoped, and tracked; do not set cluster credentials as environment variables for this skill.
Persistence & Privilege
The skill is not always-enabled and does not request system config paths or modify other skills. It uses the platform's normal autonomous invocation defaults (disable-model-invocation is false), which is expected for an agent-invoked API integration.
Assessment
This skill delegates scoring to an external service (portal.toolweb.in) and will transmit cluster metadata and your answers to the 30 controls. Before installing: (1) Verify the ToolWeb service and its TLS certificate and privacy/security policies; (2) Confirm exactly what fields are sent by the API (avoid sending kubeconfig, credentials, or other secrets); (3) Use a least-privileged, revocable API key and monitor usage/billing; (4) Test on non-production data first; (5) If you need an offline/local assessment, do not use this skill because SKILL.md requires calling the external API.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d97fpqybsvdqvsm4h4kk0bd834sjt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
OSLinux · macOS · Windows
Binscurl
EnvTOOLWEB_API_KEY
Primary envTOOLWEB_API_KEY

Comments