ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Azure AKS Hardening

v1.0.0

Generates CIS v1.8.0 compliant Azure Kubernetes Service (AKS) configurations for security hardening.

0· 33·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and the included OpenAPI spec align: this is an API that generates CIS v1.8.0 AKS hardening configuration. However, the skill documents a paid external service (toolweb / api.mkkpro.com) yet declares no required credentials or env vars; that mismatch is unexpected for a hosted API offering paid tiers.
!
Instruction Scope
SKILL.md describes POST /api/aks/generate and sample payloads/responses but does not provide an explicit server/base URL in the OpenAPI spec nor clear runtime instructions about how the agent should call the service (authentication headers, rate limits, which base host to use). The doc references external hosts (api.mkkpro.com and api.mkkpro.com:8149) and pricing, which implies network calls and possibly API keys — yet no guidance on handling sensitive inputs (e.g., cluster identifiers, secrets) or whether sensitive data is retained by the service.
Install Mechanism
This is an instruction-only skill with no install spec and no code files; nothing is written to disk and there is no package installation step — lower installation risk.
!
Credentials
The skill requests no environment variables or credentials, but documents a paid external API and an external Kong route. In practice a hosted API with paid tiers commonly requires API keys or tokens; the absence of declared credentials is an inconsistency. Also, the docs do not warn users about sending potentially sensitive configuration data to a third-party service or how long that data is retained.
Persistence & Privilege
always is false and there are no config-path or system-level operations. The skill does allow normal autonomous invocation (disable-model-invocation is false), which is platform-default; combined with its network calls this increases blast radius slightly but is expected for an API-style skill.
What to consider before installing
This skill appears to describe a third‑party API for generating AKS hardening configs, but the documentation is vague about which base URL to call, how to authenticate, and how data is handled. Before installing or using it: (1) verify the service hostname and TLS (use the documented https endpoints), (2) ask the provider whether an API key or account is required and never hard-code sensitive keys into the agent, (3) avoid sending real cluster credentials or secrets — test with non-sensitive data first, (4) review the provider's privacy/retention policy to ensure configs you send aren't stored indefinitely, (5) prefer an explicit requires.env (API_KEY) or instructions that make authentication and billing transparent, and (6) independently review any generated configuration before applying to production. These steps will reduce the risk of accidental data exposure or unexpected charges.

Like a lobster shell, security has layers — review code before you run it.

latestvk974bganqydtfek1nv3btrwn6583yj0n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments