Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenShift Hardening
v1.0.0Professional OpenShift Container Platform security configuration generator that creates hardened deployment manifests and security policies.
⭐ 0· 33·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and openapi.json describe an API that generates OpenShift hardening manifests and policy objects, which is coherent with the skill name and description. However the package claims Red Hat branding while the source/homepage are missing and the owner ID is unverified — that mismatch is a provenance/branding concern (possible impersonation or misleading naming).
Instruction Scope
The instructions present sample requests/responses and an OpenAPI spec for endpoints that accept hardeningOptions and return download URLs. They do not instruct the agent to read local system files or environment variables, but they imply sending user-supplied configuration/context to a remote service. Because OpenShift manifests and cluster details can be sensitive, this external-call vector is a privacy/exfiltration risk even though the SKILL.md doesn't directly tell the agent to read local files.
Install Mechanism
No install spec and no code files beyond documentation/OpenAPI are included; this is instruction-only so nothing will be written to disk by an installer. That lowers risk from arbitrary code installation.
Credentials
The skill declares no required environment variables or credentials. At first glance this is proportional, but the OpenAPI spec contains no securitySchemes or authentication details: the documented endpoints (including a downloadUrl hosted at https://api.mkkpro.com) appear callable without declared credentials. Sending potentially sensitive cluster config to an unauthenticated third‑party endpoint is a data‑exposure concern. Also the lack of provenance for the service means there's no assurance of how submitted data will be stored or used.
Persistence & Privilege
always:false and no install/update behavior are present. The skill does not request permanent presence or modify other skills/configs — no elevated persistence privileges are requested.
What to consider before installing
This skill appears to implement what it claims (OpenShift hardening config generation) but has several red flags you should consider before installing or using it:
- Verify the vendor and provenance: the SKILL.md uses Red Hat terminology but there is no source or homepage and the owner ID is unverified. Confirm this is an official or trusted provider before sending data.
- Avoid sending sensitive cluster data or secrets: the API paths and the example download URL point to api.mkkpro.com and the OpenAPI spec does not define authentication. Data you send could be stored or accessed by a third party.
- Prefer local/offline generation or an officially supported tool if you must harden production clusters. If you still want to test this skill, do so in an isolated environment with non-production data and contact the vendor for security/privacy documentation and authentication requirements.
- If you need to proceed in a real environment, ask the skill author for: a) proof of identity/affiliation, b) privacy/security policy for submitted data, and c) an authenticated API flow (OAuth/API key) with clear retention rules.
Because of the external service call and lack of provenance/authentication, treat this skill as suspicious until those questions are answered.Like a lobster shell, security has layers — review code before you run it.
latestvk9731tpg19ccqevv77dtkj1gth83ykej
License
MIT-0
Free to use, modify, and redistribute. No attribution required.