ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ISO 27001 Policy Generator

v1.0.0

Generate customized ISO 27001:2022 aligned information security policy documents based on your company's profile, infrastructure, and compliance needs.

0· 98·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (ISO 27001 policy generator) match the SKILL.md usage and example outputs. However, the SKILL.md documents an external hosted API (https://portal.toolweb.in/...) as the service that actually performs generation; the skill metadata does not disclose that it relies on an external service or list the required API credential.
!
Instruction Scope
The instructions expect the agent to POST full organization profiles (company name, infrastructure, data types, locations, etc.) to an external endpoint. That means potentially sensitive PII and security posture data would be transmitted off-host. The SKILL.md requires all input fields and shows how to authenticate, so data exfiltration to a third party is an implicit behavior that is not highlighted in metadata or provenance.
Install Mechanism
Instruction-only skill with no install steps or code files — nothing is written to disk or installed, which reduces supply-chain risk.
!
Credentials
The API reference requires an API key (X-API-Key or mcp_api_key) but the skill's declared requirements list no environment variables or primary credential. That omission is an inconsistency: a credential is needed by the API but is not declared in metadata, and the SKILL.md does not explain how the key is to be provided safely. Additionally, the skill requests highly sensitive organization data which is disproportionate unless you trust the external service.
Persistence & Privilege
Flags such as always:false and default invocation settings are normal. The skill does not request persistent system privileges or to modify other skills; no unusual persistence or privilege escalation is requested.
What to consider before installing
This skill appears to be a front-end for a hosted policy-generation API (portal.toolweb.in) and would send detailed organizational data to that external service. Before installing or using it: (1) Confirm the provider's identity, privacy policy, and data handling/security practices; (2) Ask why the API key requirement is not declared in the skill metadata and how the key will be supplied and stored; (3) Do not submit real PII or sensitive security posture data in initial tests — try non-sensitive sample inputs first; (4) Prefer a local/offline generator if you must keep data in-house; (5) If you proceed, create a limited-scope/test API key and monitor outbound requests; (6) If uncertain about trustworthiness, decline or require source code/auditable implementation that does generation locally rather than posting your data to an unknown third party.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cknar3hj4s751b6bfyk9jss8379b0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments