ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Privacy Compliance Assistant

v1.0.0

Generate a detailed Privacy Impact Assessment and DPO report by describing your company, data types, processing purposes, systems, and sharing partners for G...

0· 121·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to generate PIA/DPO reports and its parameters and example outputs are consistent with that purpose. However, the SKILL.md documents an external API endpoint that requires an API key for authentication even though the skill metadata declares no required credentials or primaryEnv — an inconsistency between declared requirements and actual runtime needs.
!
Instruction Scope
Runtime instructions require the agent to send complete organization descriptions and lists of data types/systems/third parties to an external API (portal.toolweb.in). Sending PII and internal processing details to a third-party endpoint is expected for this functionality but introduces privacy and exfiltration risk; the SKILL.md does not advise using synthetic data for testing or limit what can be sent.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill itself. That minimizes supply-chain risk.
!
Credentials
Although the metadata lists no required environment variables or credentials, the SKILL.md states the API uses an X-API-Key header or an mcp_api_key argument. The skill should have declared a primary credential or required env var; omission is an incoherence and could lead to ad-hoc credential handling by the agent (risky).
Persistence & Privilege
The skill is not marked always:true and is user-invocable only; autonomous invocation remains allowed (the platform default). The skill does not request persistent system-level privileges or write other skills' configs.
What to consider before installing
Before installing or using this skill: (1) Confirm the API owner and trustworthiness of portal.toolweb.in — ask for a privacy/DPA and read terms; (2) Recognize that using the skill will send organization descriptions and potentially PII to an external service — do not submit real personal data or sensitive details during testing; use synthetic/anonymized data; (3) Require the skill author to declare the credential (X-API-Key / mcp_api_key) in the metadata so the agent can handle secrets explicitly and safely; (4) Verify TLS and endpoint integrity (HTTPS, valid cert) and ask whether data is stored, for how long, and whether they support a DPA; (5) Consider self-hosted or local alternatives if you need to keep PII on-prem; (6) If you proceed, use a scoped API key you can revoke, and monitor usage and logs for unexpected transmissions.

Like a lobster shell, security has layers — review code before you run it.

latestvk9725jnjf0w85t82yjgrxrq0s5837n51

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments