Skillv1.0.0

ClawScan security

Checkpoint Hardening · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 30, 2026, 7:42 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (generating Check Point hardening configurations) matches its instructions and artifacts; it is an instruction-only API wrapper and does not request unrelated credentials or system access, though some operational details (auth, server URLs) are incomplete and require caution.
Guidance: This skill appears to be an API wrapper that generates Check Point hardening configs and is internally consistent, but before using it you should: 1) verify the provider (toolweb.in / api.mkkpro.com) and trustworthiness of the endpoint; 2) confirm whether the external API requires authentication and, if so, how credentials are handled (do not paste secrets into chat history); 3) avoid sending real, sensitive network or credential data when testing — use synthetic data first; 4) review the service's privacy/security policy and TLS/hostname details (the docs reference a non-standard port and multiple domains); and 5) if you need offline or on-premises hardening templates, consider obtaining authoritative guidance from Check Point or your vendor rather than sending configuration details to an external service.

Review Dimensions

Purpose & Capability: okThe name/description describe an API that generates hardened Check Point configurations and the SKILL.md + openapi.json consistently document a POST /api/hardening/generate endpoint and request/response shapes. There are no declared capabilities or environment requests that are inconsistent with this purpose.
Instruction Scope: noteSKILL.md stays within scope: it defines request/response payloads for generating hardening profiles and does not instruct the agent to read local files, other config paths, or unrelated environment variables. However, the instructions do not specify authentication, server base URLs in the OpenAPI spec, or how to handle potentially sensitive configuration data when sent to the external API — these omissions are operational gaps to be aware of.
Install Mechanism: okNo install spec or code files (instruction-only), so nothing is written to disk or installed. This is the lowest-risk install profile for a skill.
Credentials: noteThe skill requests no environment variables or credentials, which is proportionate for an instruction-only API description. That said, the SKILL.md references external endpoints and a commercial provider (toolweb.in / api.mkkpro.com) but gives no guidance on API keys or authentication — if the real service requires credentials, those would need to be provided separately and should be reviewed before use.
Persistence & Privilege: okThe skill is not marked always:true, is user-invocable, and does not ask to modify agent or system-wide settings. It requests no persistent privileges.