Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cyber Attack Simulation
v1.0.0Professional security testing and vulnerability assessment tool for simulating cyber attacks and generating comprehensive security reports.
⭐ 0· 54·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill presents itself as a hosted 'Cyber Attack Simulation Platform' that runs phishing/SQLi/DDoS simulations, but there is no server URL, no authentication mechanism, no required API key, and no install or code to provide that runtime. A real simulation service would normally require at minimum an endpoint and credentials; their absence is incoherent.
Instruction Scope
SKILL.md describes endpoints and example requests that initiate attacks against targets (hostnames, ports, intensity) but does not require or instruct the agent to verify authorization/consent, restrict targets to test networks, or use safe non-destructive modes. That leaves broad discretion to the agent to initiate simulations against arbitrary hosts — a significant scope/safety gap.
Install Mechanism
There is no install spec and no code files to execute; the skill is instruction-only. This limits on-disk risk, but also means the SKILL.md is purely declarative and relies on the agent/user to perform network operations.
Credentials
Requires no environment variables or credentials despite describing a remote API with usage/pricing. A legitimate remote simulation API would normally require an API key, endpoint URL, or account configuration. The lack of declared credentials or config is disproportionate and unexplained.
Persistence & Privilege
The skill does not request always: true and does not declare persistent system changes. Autonomous invocation is allowed by default (normal), but combined with the other concerns it increases risk unless the user restricts invocation or requires explicit confirmation.
What to consider before installing
This package is inconsistent: it claims to be a hosted attack-simulation service but provides no server address, no auth method, no provenance, and no safety/authorization checks. Before installing or enabling this skill: 1) Do not allow autonomous invocation for this skill — require explicit user confirmation for every run. 2) Ask the publisher for the server base URL, authentication mechanism (API key, OAuth), and proof of identity/ownership (homepage, org info). 3) Require written proof that simulations will only run against authorized, non-production test targets and request audit/logging and rate-limiting controls. 4) Have your security team review any network calls the agent will make; prefer skills that declare required env vars and which restrict target scopes (allow-lists). 5) If you cannot validate the service owner and controls, do not enable the skill — it could be misused to launch real attacks or to trick the agent into performing harmful actions. Note: the absence of static scanner findings does not mean this is safe — this skill is mostly documentation, so the real risk is in how the agent (or a user) uses it.Like a lobster shell, security has layers — review code before you run it.
latestvk976c18v303yxw7gbntczfea1583t63w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.