ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ubuntu Hardening

v1.0.0

Generates professional Linux security hardening configuration files for Ubuntu systems with customizable options.

0· 41·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and openapi.json describe a remote API that generates Ubuntu hardening files, which matches the skill name and description. However the package has no listed homepage/source provenance (owner ID only) and pricing information implies a commercial API; that mismatch between declared metadata (no homepage, source unknown, no required creds) and the marketing/pricing is worth noting.
Instruction Scope
The instructions describe HTTP endpoints (/api/hardening/generate and /api/hardening/options) and show example requests/responses. They do not instruct the agent to read local files, local system state, or secrets, which is good. However they implicitly require the agent to call external hosts (api.mkkpro.com / toolweb.in) and the SKILL.md does not describe authentication, what data may be transmitted in real usage, or what the API provider will do with submitted data.
Install Mechanism
No install spec and no code files to execute are included (instruction-only). That minimizes local install risk; nothing is written to disk by an installer.
!
Credentials
The skill declares no required environment variables or credentials, but references an external commercial API and pricing. That absence of declared auth is inconsistent: a paid API usually requires an API key or token. This gap could lead to unclear behavior (agent may attempt unauthenticated calls, or you may be asked to supply credentials later). There's also a risk that sensitive system data could be transmitted to the remote service without clear disclosure.
Persistence & Privilege
always is false, no config paths requested, and no instruction to modify agent/system configuration. The skill does not request persistent privileges.
What to consider before installing
This skill appears to do what it says (generate hardening configs) but lacks provenance and authentication details. Before installing: verify the provider (toolweb.in / api.mkkpro.com) and read its privacy/terms; confirm whether the API requires an API key and where that key is stored; avoid sending full live system snapshots or secrets to the remote API — test with dummy data in an isolated environment first; if you need an offline/local generator for sensitive systems, prefer a tool that runs entirely locally or provides a documented self-hosted option. If possible, ask the publisher for the authoritative OpenAPI servers/security schemes and a contact or repo URL so you can audit the implementation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aq2hpd69ga55gyzrp05b12h83wy5t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments