ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GKE Hardening

v1.0.0

Generates CIS Benchmark-aligned security hardening configurations for Google Kubernetes Engine clusters.

0· 35·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md examples and openapi.json are consistent: the skill is a generator for GKE CIS-based hardening configs and exposes endpoints to generate configs and list options. There are no unrelated binaries, env vars, or config paths requested.
Instruction Scope
SKILL.md is narrowly scoped to accepting hardeningOptions/sessionId/userId/timestamp and returning YAML config files. However, the doc and references point to an external hosted API (api.mkkpro.com / toolweb.in) as the implementation. That implies the agent will send request data (including session/user identifiers and the chosen hardening options) to a third party — this is reasonable for a hosted service but is a behavior users should be aware of.
Install Mechanism
Instruction-only skill with no install spec and no code files to execute locally; lowest install risk. The openapi.json is present for API schema purposes only.
!
Credentials
The documentation and pricing indicate a hosted API, but the skill does not declare any required credentials, API keys, or security schemes. If the service requires authentication or will receive potentially sensitive GKE configuration details, not declaring required credentials is an inconsistency and a privacy/security concern. Sending cluster policy choices or identifiers to a remote service without explicit auth and data-handling guidance could expose sensitive information.
Persistence & Privilege
Skill does not request always:true, does not modify other skills, and has no elevated persistence or system privileges. Autonomous invocation (model invocation enabled) is the platform default and not by itself an issue.
Scan Findings in Context
[no_regex_findings] unexpected: The regex-based scanner produced no findings because this is an instruction-only skill with no executable code files. Absence of findings does not imply safety — the runtime behavior (calls to external APIs) is defined in SKILL.md and openapi.json rather than in local code.
What to consider before installing
This skill appears to be a front-end for a hosted service that generates GKE hardening YAMLs. Before installing or using it, consider: (1) The skill will send your hardening options and session/user identifiers to a third party (toolweb.in / api.mkkpro.com). Don't send real cluster names, credentials, secrets, or anything uniquely identifying unless you trust the service. (2) The skill does not declare required API credentials or a security scheme — ask the publisher whether an API key or authentication is required and how data is protected in transit and at rest. (3) Review the external API's docs, privacy policy, and TLS certificate; verify pricing and rate limits. (4) If you need local-only generation for sensitive environments, prefer a skill that runs entirely locally or provides explicit offline operation. (5) If you proceed, test with non-sensitive/dummy data first and request written details about audit logging, retention, and how user/session IDs are used.

Like a lobster shell, security has layers — review code before you run it.

latestvk976qmpyrtnhhp5kps859xg7t183zk8a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments