ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SOX Compliance

v1.0.0

Enterprise-grade Sarbanes-Oxley assessment platform that evaluates organizational compliance with SOX requirements across multiple control domains.

0· 74·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description claim an enterprise SOX assessment platform and the SKILL.md + openapi.json model that API surface. However the package provides no server/auth configuration, no publisher/homepage, and no declared credentials — an API wrapper normally discloses the base URL and auth requirements. The lack of those details is an unexplained omission.
Instruction Scope
SKILL.md contains only API documentation, sample requests/responses, and endpoints. It does not instruct the agent to read local files, pull environment variables, or exfiltrate unrelated data. Scope of runtime instructions stays within the stated assessment functionality.
Install Mechanism
This is an instruction-only skill with no install spec and no code files; nothing will be written to disk during install. That reduces installation risk.
!
Credentials
No environment variables, credentials, or config paths are requested. Yet the documentation references external endpoints (api.mkkpro.com / portal.toolweb.in) and pricing, implying a hosted service that likely requires credentials or an API key. The absence of declared auth is a proportionality/information mismatch — the skill might require secrets at runtime but does not declare them.
Persistence & Privilege
The skill does not request always:true and uses default autonomy settings. It does not attempt to modify agent-wide configs or other skills. No persistence or elevated privileges are requested.
What to consider before installing
This skill documents an external SOX assessment API but has no publisher/homepage and omits server/auth details. Before installing or using it: 1) Confirm the canonical base URL and whether the API requires an API key or account — do not send sensitive company data until you know where it goes. 2) Verify the publisher (toolweb.in / api.mkkpro.com) and check their reputation and TLS certificates for the referenced domains. 3) Ask the author for the auth method, data retention/privacy policy, and sample non-production endpoints. 4) If you plan to send real audit evidence or PII, test against a sandbox environment and use least-privilege tokens. 5) Prefer skills that declare servers and required credentials explicitly or come from a verified publisher. Providing those details would raise confidence; their absence is why this is flagged as suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk9796t5k2y8n1yjk8p52jntapn83fc6z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments