ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

FortiGate Hardening

v1.0.0

Professional FortiGate security configuration generator based on CIS Benchmark standards for enterprise firewall hardening.

0· 41·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to be an API that generates hardened FortiGate configs, and the included SKILL.md + openapi.json match that purpose (endpoints to generate and list options). However the SKILL.md references external domains (e.g., api.mkkpro.com and toolweb.in) while the package provides no authoritative homepage or server configuration; the source is 'unknown'. This incomplete provenance is a minor coherence issue.
Instruction Scope
The runtime instructions specify submitting hardening payloads (sessionId, userId, hardeningOptions) and returning a download_url. They do not instruct the agent to read local files or other unrelated system state, which is good. But they also do not include an explicit, trusted base URL or a data-handling/privacy disclosure — the example download_url points to an external host, which means the agent (or a user following the doc) may send potentially sensitive firewall configuration data to a third party.
Install Mechanism
No install spec and no code files (instruction-only). That minimizes local execution risk — nothing will be written to disk or auto-installed by the skill package itself.
Credentials
The skill requests no environment variables or credentials, which is consistent with a generator-only API that returns a file for manual application. However, because the skill's examples show an external download_url and pricing, a user might be expected to send sensitive firewall configuration data to a third-party service; the skill gives no guidance about credentials, encryption, retention, or privacy. Lack of clarity about where data goes and how it's protected is a proportionality concern.
Persistence & Privilege
The skill does not request always:true and is user-invocable only; it does not demand elevated persistence or modify other skills. Autonomous invocation is allowed by default but not combined with other red flags here.
What to consider before installing
This skill appears to be a remote API that generates FortiGate configuration files. Before installing or using it, verify the service owner and hosting domain (there is no homepage in the package and the sample download_url references api.mkkpro.com/toolweb.in). Do not submit real production firewall details or secrets until you confirm data handling, retention, and encryption policies. Prefer testing with sanitized or dummy data first. If you need an offline or auditable hardening tool, ask the publisher for source code or an on-premise option (or use vendor-supplied CIS-hardening guidance). If you decide to proceed, require a written data-processing agreement and confirm the service uses HTTPS and explicit authentication; otherwise treat this as untrusted third-party processing of sensitive network configuration.

Like a lobster shell, security has layers — review code before you run it.

latestvk9707ydhj4ecb8f77qk4gr5wen83w6fk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments