ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CISO Daily Security Pulse

v1.0.0

Comprehensive daily security posture assessment tool that provides CISOs with actionable security insights and metrics.

0· 57·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md and openapi.json describe a CISO security-assessment API (GET health, POST assess). There are no unrelated binaries, env vars, or install steps — the claimed purpose matches the provided API surface.
!
Instruction Scope
The SKILL.md exposes endpoints and example payloads that would cause an agent to send organizational security telemetry (vulnerabilities, incident counts, user IDs) to external endpoints. The instructions do not explain authentication, data handling, retention, or consent, so using the skill could result in sensitive data being transmitted to an external service without clear safeguards.
Install Mechanism
Instruction-only skill with no install spec and no code files to execute; nothing is written to disk by an installer. This is the lowest install risk.
Credentials
The skill declares no required environment variables or credentials. That can be reasonable for a public unauthenticated service, but most APIs that process sensitive telemetry require API keys / auth — the lack of declared credentials is ambiguous and increases risk because the SKILL.md references external API endpoints but provides no auth guidance.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent system-wide privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined here with other high-risk privileges.
What to consider before installing
This skill appears to wrap an external CISO assessment API (toolweb.in) and includes example payloads that contain sensitive security telemetry and user identifiers. Before installing or invoking it: 1) Verify vendor identity and hosting (toolweb.in) and confirm the API's privacy, retention, and data-handling policies. 2) Confirm whether the API requires authentication; if it does, ask why the skill doesn't declare required credentials. 3) Never send real production telemetry, credentials, or PII in initial tests — use synthetic/non-sensitive data. 4) If you need to send organizational security data, prefer skills that document encryption, access controls, and a trusted provenance (homepage, publisher contact, or well-known registry). If you cannot verify the service and its security/privacy practices, avoid using the skill for real data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97de0tgbzf8z33dg6nst39ye984bwm3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments