Back to skill
Skillv1.3.2
ClawScan security
OT Security Posture Scorecard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 7:22 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it collects user-provided OT assessment inputs and sends them to ToolWeb.in using a single API key (TOOLWEB_API_KEY); nothing in the files or instructions requires unrelated credentials or system access.
- Guidance
- This skill appears coherent with its stated purpose, but before installing: (1) verify you trust the vendor (portal.toolweb.in) and their privacy/data-handling practices, since the skill will send assessment data to that endpoint; (2) only provide a dedicated API key with limited scope if possible; (3) be aware the included test script makes live network calls (to port 8443) and optionally uses python3 for pretty-printing; and (4) if you need higher assurance, contact the vendor for provenance (the repository lists a different support email in README) and test the skill in a controlled environment before using with real production data.
Review Dimensions
- Purpose & Capability
- okName, description, required binary (curl), and the single required environment variable (TOOLWEB_API_KEY) match the declared purpose of calling an external OT assessment API. The included scripts and examples only exercise that API.
- Instruction Scope
- noteSKILL.md instructs the agent to gather OT/CSF input and POST it to https://portal.toolweb.in:8443/security/itotassessor using the TOOLWEB_API_KEY — this is in-scope. Minor notes: the test script formats JSON output with python3 if available (python3 is not declared as a required binary). No instructions read local files or other environment variables.
- Install Mechanism
- okNo install spec (instruction-only skill) and no downloads or extracted archives — lowest-risk install posture. Provided files are documentation and a simple test script.
- Credentials
- okOnly one credential is required (TOOLWEB_API_KEY) and it is the primary credential used to authorize requests to the stated external API. No unrelated secrets or system credentials are requested.
- Persistence & Privilege
- okalways:false and normal user-invocable/autonomous invocation defaults. The skill does not request persistent system privileges or attempt to modify other skills or system config.