ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Government Cybersecurity Vulnerability Intel

v1.0.0

CVE vulnerability lookup via NIST NVD, CISA KEV, EPSS scores, and MITRE ATT&CK. 7 tools for real-time cybersecurity intelligence.

0· 501·2 current·2 all-time
byMartin@martc03
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (CVE lookups from NVD, CISA, EPSS, MITRE) match the runtime instructions: the skill connects your agent to a remote MCP server that presumably aggregates those sources. However the description does not clearly state that it requires adding a third‑party MCP server (hosted at an apify.actor domain), which is an important trust decision for users.
!
Instruction Scope
Runtime instructions explicitly tell the user/agent to add a remote MCP server (mcporter add ... or editing ~/.openclaw/mcp.json). The SKILL.md instructs adding/persisting an external server entry, which expands what the agent can call. The metadata declared no required config paths, yet the instructions reference modifying ~/.openclaw/mcp.json — an inconsistency.
Install Mechanism
There is no install spec and no code files; the skill is instruction-only. The only runtime requirement is the 'mcporter' binary, which is reasonable given the instructions.
Credentials
No environment variables or credentials are requested. Requiring the mcporter binary is proportionate to the described operation. No unrelated secrets or services are requested.
!
Persistence & Privilege
Although 'always' is false, the instructions tell the user to add a persistent remote MCP server entry (via mcporter or by editing ~/.openclaw/mcp.json). That persisted server can expand agent capabilities and route future tool calls through a third party — a meaningful privilege/attack surface increase that requires trusting the server operator.
What to consider before installing
This skill is essentially a connector: it asks you to add a third‑party MCP server (https://cybersecurity-vuln-mcp.apify.actor/mcp) so the agent can fetch aggregated CVE data. Before installing: 1) Verify the operator and repository (the homepage points to a GitHub repo) and confirm the server actually proxies only government APIs as claimed. 2) Verify the provenance of the 'mcporter' binary you must have — prefer obtaining it from an official source. 3) Be aware that adding the server entry to ~/.openclaw/mcp.json is persistent and gives that server the ability to provide tools/responses to your agent; avoid adding servers you don't fully trust. 4) If in doubt, run queries in a sandboxed environment or request a self-hostable manifest so you can host the aggregator yourself. The main red flags are (a) the implicit trust in a remote, third‑party server and (b) the metadata omission about modifying ~/.openclaw/mcp.json — ask the maintainer for clarification or a self-host option if you need stronger assurance.

Like a lobster shell, security has layers — review code before you run it.

latestvk973nnjbxk6zd4m3t40ee1yphx81z6mr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
Binsmcporter

Comments