Kubernetes Security Posture Scorecard
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a coherent Kubernetes security scorecard integration, but users should notice that it sends cluster posture details to ToolWeb and uses a billable API key.
This skill appears purpose-aligned and does not show destructive actions or hidden code. Before installing, make sure you are comfortable sending Kubernetes posture details to ToolWeb, using a billable API key, and relying on the external API for the scorecard.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Each use may contact ToolWeb and depend on that provider's availability, behavior, and pricing.
The skill requires use of curl to call a remote API for every assessment. This is purpose-aligned and disclosed, but users should know the agent is instructed to depend on the external service instead of producing a local-only assessment.
**ALWAYS call the ToolWeb API endpoint using curl.** Do NOT answer from your own knowledge.
Install only if you are comfortable using ToolWeb as the scoring provider; review costs and expected API usage before relying on it.
A compromised or overused API key could consume the user's ToolWeb quota or paid plan allowance.
The skill requires a ToolWeb API key and sends it in the request header. This is expected for the service, but it is still an account credential that can affect billing or quota.
`TOOLWEB_API_KEY` — Get your API key from [portal.toolweb.in](https://portal.toolweb.in)
Use a dedicated API key if available, store it securely, and monitor ToolWeb usage or billing.
Cluster names, environment type, Kubernetes version, cloud provider, and security-control status may be shared with ToolWeb.
The skill sends Kubernetes environment and security-control answers to an external provider. The data flow is disclosed and aligned with the scorecard purpose, but it may reveal sensitive information about the user's cluster posture.
POST https://portal.toolweb.in/apis/security/k8scorecard
Avoid submitting secrets, kubeconfigs, internal hostnames, or unnecessary sensitive details; confirm the provider's privacy and retention practices if the cluster is sensitive.