ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Security Posture Maturity

v1.0.0

Professional multi-dimensional security maturity evaluation platform that assesses organizational security across eight critical domains.

0· 41·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md and included openapi.json are consistent: they describe an assessment API over eight domains and provide matching endpoints and request/response schemas. However, the skill advertises pricing and tiers but the OpenAPI and SKILL.md include no host, security schemes, or required credentials — that omission is unusual for a paid API and worth questioning.
Instruction Scope
SKILL.md is instruction-only and only describes API endpoints, sample requests/responses, and expected behavior. It does not direct the agent to read local files, environment variables, system paths, or to transmit data to unexpected endpoints outside the described API.
Install Mechanism
No install spec and no code files are provided beyond documentation and OpenAPI; nothing is written to disk or executed during install. This is low-risk from an installation perspective.
Credentials
The skill declares no required environment variables, binaries, or credentials which is proportionate to an instruction-only API description. However, the presence of pricing/tiers and a production-sounding API with no declared auth or host is atypical and could mean the author omitted necessary authentication info or expects the agent/user to supply secrets out-of-band — clarify before sending any sensitive organizational data.
Persistence & Privilege
The skill is not always-enabled (always:false) and is user-invocable. It does not request elevated or persistent privileges and does not modify other skill configurations according to the provided metadata.
What to consider before installing
This skill is internally coherent: it provides an OpenAPI spec and a clear description of endpoints. However, the publisher is unknown, there's no homepage or contact, and the API spec contains no host or authentication scheme despite advertising paid plans — that is unusual. Before using or sending real organizational data: 1) ask the publisher for a canonical API base URL, security/authentication method (API key/OAuth), and a privacy/data-retention policy; 2) verify the publisher's identity and reputation (homepage, company, or maintainer contact); 3) avoid sending sensitive or identifying data to the API until you can confirm encryption, access controls, and contractual protections; and 4) prefer testing with anonymized or synthetic data in a sandbox. If the author cannot provide verifiable details, treat the skill as untrusted and do not transmit real assessment data.

Like a lobster shell, security has layers — review code before you run it.

latestvk976d5et1kn2tmyavy26epep6s83xekq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments