ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

K8s Security Review

v1.0.0

Analyzes Kubernetes YAML manifests for security misconfigurations, best practices violations, and compliance risks.

0· 93·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the behavior in SKILL.md (it analyzes Kubernetes manifests). However the README includes external service references and pricing (toolweb.in, api.mkkpro.com) even though the endpoints section only lists a relative path (/review-k8s) and the skill requests no credentials. It's plausible this is a wrapper for a hosted API, but the skill does not declare the base URL, network usage, or any required API key, which is an unexplained gap.
!
Instruction Scope
SKILL.md instructs sending full Kubernetes YAML as the request body. Kubernetes manifests often contain secrets, credentials, or other sensitive information; the instructions do not warn about sensitive data, nor do they describe retention, privacy, or where the manifest will be sent. Because the skill appears to depend on an external API (vendor links provided), this creates a real risk of inadvertent exfiltration of sensitive config.
Install Mechanism
Instruction-only skill with no install spec and no bundled code — minimal disk footprint and no packages to review. This is the lowest-risk install model.
Credentials
The skill requests no environment variables or credentials, which is consistent with a simple analyzer. However the documentation advertises paid plans and external endpoints, yet asks for no API key or auth — either the service is public/free (possible) or the skill omits required auth details. This mismatch should be clarified.
Persistence & Privilege
The skill does not request always:true, does not require special OS restrictions, and does not request system config paths or persistent credentials. It uses normal, user-invocable privileges.
What to consider before installing
Before installing or using this skill: 1) Treat any Kubernetes manifest you send to an external service as potentially sensitive — avoid sending manifests that contain Secrets, passwords, tokens, kubeconfigs, or other credentials. 2) Ask the skill author or registry for the exact base URL the agent will call, how network requests are authenticated, and the vendor's data retention/privacy policy. The SKILL.md lists toolweb.in and api.mkkpro.com — verify those endpoints independently. 3) If you prefer no network exposure, use a local/offline linter instead (examples: kube-linter, kubeconform, kubesec, conftest, Polaris). 4) Test with non-sensitive example manifests first and confirm where telemetry or logs are sent. If the vendor expects an API key or paid plan, demand that the skill declare the required credentials explicitly before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fxvbggcq67bhb39kewc96dd83bs8n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments