ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Forensic Audit Roadmap

v1.0.0

Professional career roadmap platform that generates personalized forensic audit learning paths and specialization recommendations.

0· 50·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to be an API-driven Forensic Audit Roadmap service and the SKILL.md + openapi.json describe endpoints and request/response schemas — this aligns with the stated purpose. However, there is no server/base URL, no hosts listed in openapi.json, and no mention of required API keys or auth flows. An API platform would typically declare how to reach it and how to authenticate; the absence of that information is a notable omission (incoherent/unfinished rather than obviously malicious).
Instruction Scope
The SKILL.md confines itself to describing API endpoints, sample requests/responses, and schemas; it does not instruct the agent to read local files, environment variables, system state, or transmit data to external endpoints beyond the (undefined) API. That said, because no base URL is provided, runtime behavior is ambiguous — an agent might try to infer or ask for the endpoint, which could lead to unintended network calls if misconfigured.
Install Mechanism
There is no install spec and no code files to execute; this is instruction-only so nothing will be written to disk during installation. This is the lowest-risk install mechanism.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. That is proportionate given the provided documentation, though it is surprising for an API-driven service which commonly requires an API key — the omission is more likely an incomplete specification than a request for unnecessary secrets.
Persistence & Privilege
The skill is not always-enabled, and it does not request or describe any persistent system changes or cross-skill configuration. Autonomous invocation is allowed by platform default but is not combined with other red flags here.
What to consider before installing
This skill appears to be a documentation-only description of an API but is incomplete: the openapi.json contains no server/base URL and SKILL.md does not describe authentication or a publisher. Before installing or allowing the agent to call it, ask the publisher for the API host, authentication method (API key/OAuth), and source code or homepage. Do not provide any sensitive credentials until you confirm they are necessary and tied to a legitimate endpoint. If you test it, do so in a controlled environment (no production secrets) and monitor outbound network requests. If you need this functionality, prefer a skill that includes a verifiable homepage, clear auth requirements, or provider-signed OpenAPI servers.

Like a lobster shell, security has layers — review code before you run it.

latestvk9779r3kxgsqjczz0jzar6ae1183vrsr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments