ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

NIST CSF Mapper

v1.0.0

Map your security controls and tools to NIST CSF 2.0, receive coverage scores, gap analysis, tier rating, regulatory crosswalk, and a prioritized improvement...

0· 97·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to call an external service (portal.toolweb.in) to generate NIST CSF mappings and expects an API key in its API reference, yet the skill metadata lists no required environment variables or primary credential. That omission is inconsistent: a remote API integration normally requires the caller to provide an API key or token.
Instruction Scope
SKILL.md is instruction-only and stays within the stated purpose: it asks for company profile, tools, boolean posture fields, and describes POSTing that data to /nist-mapping. It does not instruct reading local files, arbitrary env vars, or other system state. The instructions do send potentially sensitive organizational security data to an external endpoint.
Install Mechanism
There is no install spec and no code files; this is instruction-only, which minimizes on-disk installation risk.
!
Credentials
The API reference requires an API key via X-API-Key or mcp_api_key, but the skill metadata declares no required env vars/primary credential. That discrepancy means the skill's declared permissions understate the secret/API access it needs. Also, the skill will transmit detailed security posture data to an external endpoint — sensitive information that warrants explicit justification and documented handling.
Persistence & Privilege
The skill does not request always: true, does not modify other skills, and declares no config paths. It does allow autonomous invocation (default), but that is the platform norm and not by itself a problem.
What to consider before installing
This skill appears to be a thin wrapper around an external API (portal.toolweb.in) that will receive detailed information about your security posture. Before installing or using it: 1) Confirm the provider identity and homepage/source (metadata lists none). 2) Do not send production-sensitive or confidential data until you verify the vendor's security/privacy policies and TLS ownership. 3) Ask the publisher why no credential is declared in the metadata even though SKILL.md requires an API key; require that the skill declare a primary credential or prompt for it explicitly. 4) Test with synthetic or redacted data first. 5) If you must provide an API key, use least-privilege credentials and short-lived keys where possible and review audit logs for API use. 6) If you need an on‑premise or offline mapping for compliance reasons, prefer tools that run locally rather than outsourcing security posture data to an external service.

Like a lobster shell, security has layers — review code before you run it.

latestvk9756rgmz44nxcdkpsk27k36h1837wd3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments