Back to skill
Skillv1.0.2
ClawScan security
Web Vulnerability Assessment · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 3:11 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent: it is an instruction-only wrapper around the ToolWeb API and only requests curl plus a single TOOLWEB_API_KEY; the main user-facing risk is that assessment data (potentially sensitive) is sent to a third-party service for analysis and billing.
- Guidance
- This skill delegates all analysis to ToolWeb (portal.toolweb.in). Before installing: 1) Confirm you trust ToolWeb and review their privacy, data retention, and billing terms — you'll be sending org/app details to their API. 2) Avoid sending secrets (API keys, full DB connection strings, private keys) in assessment inputs; if needed, redact or use test data. 3) Store and rotate TOOLWEB_API_KEY like any credential; ensure it has appropriate scope and is not shared broadly. 4) Test with non-sensitive sample data first to verify output and parsing. 5) If you need offline or on-prem assessments (no external data transfer), this skill is not appropriate because it mandates calling the external API and explicitly forbids local generation.
Review Dimensions
- Purpose & Capability
- okName/description match the behavior: SKILL.md requires TOOLWEB_API_KEY and curl and directs the agent to call https://portal.toolweb.in/apis/security/web-vuln-assessment to produce OWASP-aligned assessments. Requested resources (one API key and curl) are proportional to a remote SaaS-based assessment service.
- Instruction Scope
- noteInstructions explicitly require always calling the external ToolWeb API and forbids generating assessments locally. The workflow sends inputs such as organization_name, application_name, technology_stack, and assessment_scope to the remote endpoint (HTML response is parsed). This is coherent for a SaaS-backed skill but means potentially sensitive application and organizational data will be transmitted off-host.
- Install Mechanism
- okInstruction-only skill with no install spec or downloaded code; lowest-risk install footprint. Requires curl to be present on PATH (reasonable and declared).
- Credentials
- okOnly one environment variable is required (TOOLWEB_API_KEY), declared as the primary credential. That is appropriate and expected for a remote API integration. Note: the API key authorizes calls that will transmit user-supplied assessment data to the vendor.
- Persistence & Privilege
- okalways is false and there are no requested config paths or system-wide changes. disable-model-invocation is false (normal), so the skill may be invoked autonomously by the agent per platform defaults — this is expected and not elevated privilege by itself.