ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GKE Autopilot Hardening

v1.0.0

Generate and apply security hardening configurations for Google Kubernetes Engine AutoPilot clusters.

0· 33·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description promise both generation and application of hardening to GKE Autopilot clusters. The included OpenAPI and SKILL.md, however, only document a /generate endpoint (produce manifests). There is no endpoint, instruction, or declared environment variable for authenticating to Google Cloud, for providing kubeconfigs, or for remotely applying manifests to clusters. That leaves an unexplained gap: how would the skill actually apply changes to a GKE cluster?
!
Instruction Scope
SKILL.md is an API specification and examples, not an actionable runtime script. It does not instruct the agent to read local kubeconfigs or GCP credentials (which would be necessary to apply changes), nor does it document authentication to the external API endpoints referenced. The spec references external endpoints (api.mkkpro.com and toolweb.in) but gives no guidance on credentials or what cluster data (if any) is sent to those remote services.
Install Mechanism
This is an instruction-only skill with no install spec or code files to execute. That reduces surface risk from arbitrary downloads or local installs.
!
Credentials
No environment variables, credentials, or config paths are declared. For a skill that claims it can 'apply' security configurations to GKE clusters, one would expect explicit handling of GCP service account keys, kubeconfig, or an API key for the remote service. The omission could be benign (the API is expected to be used manually) but is inconsistent and should be clarified before trusting the skill with cluster changes.
Persistence & Privilege
The skill does not request always:true, does not ship installers, and does not claim to modify other skills or global agent settings. It appears not to require persistent elevated privileges.
What to consider before installing
Do not grant this skill automatic authority to change your clusters yet. Ask the publisher to clarify: (1) exactly how an 'apply' is performed — is it done by a remote service or by the agent locally? (2) what authentication is required (GCP service account, kubeconfig, or an API key) and where that credential is stored/transmitted; (3) whether the remote endpoints (api.mkkpro.com / toolweb.in) will receive cluster manifests or sensitive metadata; and (4) who operates the service and where code or runbooks are published. If you plan to use this, require least-privilege credentials, prefer offline/manual application of generated manifests, and verify the remote API's TLS certificate and privacy practices. If the publisher cannot clearly explain the missing 'apply' step and authentication model, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dccnqez5bz9axx7bknvdxs183z90j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments