ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Risk Assessment Compliance

v1.0.0

Performs comprehensive security checks and compliance risk assessments on websites and applications.

0· 77·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and the included OpenAPI fragment describe a security assessment API and a /security-check endpoint, which is coherent with the stated purpose. However, the skill does not declare a base URL or any authentication requirements even though the SKILL.md references external commercial endpoints (toolweb.in, api.mkkpro.com) and pricing — this is an omission that makes the capability incomplete and unclear.
!
Instruction Scope
SKILL.md describes requests/responses and references external API hosts (api.mkkpro.com, toolweb.in) but gives no explicit runtime instruction on which host/URL to call or how to supply credentials. The instructions are vague/open-ended, which could cause the agent to (a) attempt network calls to third-party endpoints by inferring hosts from references, or (b) fail silently. There is also no guidance about handling sensitive targets (internal URLs) or data-handling/privacy considerations.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by the skill itself. This is the lowest-risk install model.
!
Credentials
No required environment variables or primary credential are declared, yet the SKILL.md references a paid API and platforms (RapidAPI, portal.toolweb.in) where an API key or account would typically be required. The absence of declared auth variables is disproportionate to the claimed functionality and leaves open the question of how authentication and billing would be handled.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not declare actions that modify agent or system-wide settings. Autonomous invocation is allowed (default) but not combined with other privilege escalations.
What to consider before installing
This skill appears to describe a third‑party security-scanning API but is missing crucial runtime details. Before installing or using it: (1) verify the publisher and their privacy/security policy (toolweb.in / api.mkkpro.com links are present but source is 'unknown'); (2) confirm the base API URL and how authentication/billing is handled — expect an API key even though none is declared; (3) avoid sending sensitive or internal URLs to an unverified external service (risk of data exposure); (4) request an explicit servers field or configuration instructions (OpenAPI 'servers' is missing) and declared env vars for any keys the skill needs; (5) prefer skills that clearly document endpoints, auth, and data-handling, or run your own scanner/hosted solution you control. If you proceed, test first with non-sensitive public targets and ask the publisher for credentials and a privacy/data-retention statement.

Like a lobster shell, security has layers — review code before you run it.

latestvk974xgw3y33czzwz06xwwdts9n83b2wf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments