ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CISO Career

v1.0.0

Professional Chief Information Security Officer career development platform that generates personalized roadmaps and specialization guidance.

0· 41·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (generate personalized CISO career roadmaps) matches the OpenAPI paths and SKILL.md examples; required capabilities are minimal and there are no unrelated env vars or binaries. However the skill provides no server/base URL, no homepage or source link, and no provenance for the claimed expert backing — this makes the deployment/hosting unclear.
Instruction Scope
SKILL.md instructs the agent to call /api/ciso/roadmap and other endpoints with assessment data and shows sample requests/responses. It does not instruct reading local files, environment variables, or performing unrelated actions. Concern: it does not specify the server host or any privacy/retention rules, so callers may be prompted to send potentially sensitive user data to an unspecified destination.
Install Mechanism
No install spec and no code files beyond an OpenAPI document and SKILL.md — instruction-only skill with no downloads or install steps (lowest risk for code delivery).
Credentials
The skill requests no environment variables, credentials, or config paths. The data fields shown (experience, skills, userId) are reasonable for a career roadmap service, but there is no guidance about excluding sensitive PII.
Persistence & Privilege
always is false and there are no indications the skill requests elevated or persistent privileges or modifies other skills' configs.
What to consider before installing
This skill appears to describe a legitimate career-roadmap API but is incomplete: it does not specify the base URL/server, hosting provider, privacy policy, or source homepage. Before installing or using it, ask the publisher for the API base URL, who hosts and stores submitted data, TLS/endpoint security, data retention and deletion policies, and evidence of the claimed expert backing. Do not submit sensitive personal data (SSNs, employer secrets, private contact info) until you confirm where requests are sent and how data is protected. If you cannot verify the host/source, prefer a self-hosted or well-known provider with clear privacy terms.

Like a lobster shell, security has layers — review code before you run it.

latestvk9714bc8zgmm8zannpwyw5drx183rzx0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments