ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Breached Email Check

v1.0.0

Check if an email has appeared in known data breaches and get detailed breach history, severity, compromised data, and remediation recommendations.

0· 101·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and SKILL.md behavior align: it checks an email against breach databases and returns breach details. The endpoints and outputs described match the stated purpose.
Instruction Scope
Runtime instructions are limited to calling an external API to check emails and returning breach data — that is within scope. However, the SKILL.md explicitly instructs sending email addresses to portal.toolweb.in (and to pass an API key or MCP argument), which means user-supplied emails will be transmitted off-platform; SKILL.md does not include privacy/retention rules or limits on what context to include when calling the API.
Install Mechanism
Instruction-only skill with no install spec or code files — nothing is written to disk and no external installers are used.
!
Credentials
SKILL.md requires an API key via an X-API-Key header or 'mcp_api_key', but the registry metadata declares no required environment variables or primary credential. This mismatch is important: the skill will need credentials to function (and to be useful), but none are declared. The skill will transmit potentially sensitive email addresses to an external service, which requires explicit vetting of the credential handling and trust in the remote API provider.
Persistence & Privilege
always is false, no system config paths or persistent privileges are requested. Autonomous invocation is allowed (platform default) — note this increases the blast radius because the skill sends data externally, but the skill itself does not request unusual privilege escalation.
What to consider before installing
This skill looks like what it says (an external breach-check API), but the SKILL.md expects an API key while the registry metadata declares no required credential — that's an incoherence you should resolve before installing. Before using: 1) Ask the publisher to declare the required API key/env var in the skill metadata (and confirm where the key is stored and how it's protected). 2) Verify the external API domain (toolweb.in) and the publisher's identity/terms/privacy policy; confirm TLS and data-retention practices. 3) Consider privacy: the skill will send email addresses (and possibly other context) to a third party — avoid sending sensitive or production emails until you're confident in the provider. 4) If you allow autonomous invocation, be aware the agent could send user emails automatically; restrict scope or require explicit user approval for every check. 5) Test with non-sensitive example emails and confirm expected behavior and error handling before enabling in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dk46fszcktackqnmdvb84x5837r2m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments