ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

security, owasp, penetration-testing, compliance, gdpr

v1.0.0

Comprehensive security audit agent. Performs OWASP Top 10 checks, dependency vulnerability scanning, authentication/authorization review, and penetration tes...

0· 13·0 current·0 all-time
by@shuwanito
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description claim a security-audit capability (OWASP, CVE scanning, auth review). As an instruction-only skill with no required binaries or credentials, that is plausible for a lightweight advisory agent. However, the SKILL.md references 'department-specific engines' and 'synergy departments' which imply reliance on internal services or cross-team data that are not declared (no required env vars, no endpoints). That is an unexplained dependency.
!
Instruction Scope
The runtime instructions are high-level and allow broad discretion: 'Receive target context', 'Analyze using department-specific engines', and 'Cross-validate with synergy departments.' Allowed tools include filesystem and web-fetch, which enable reading local files and making network requests. The SKILL.md does not specify what data to read, what endpoints to call, or any safeguards — this vagueness could lead to the agent accessing or transmitting sensitive data without clear limits.
Install Mechanism
No install spec and no code files are present (instruction-only). That minimizes supply-chain risk because nothing is downloaded or installed on disk by the skill itself.
Credentials
The skill declares no required environment variables or credentials, which is consistent with an advisory instruction-only skill. However, the SKILL.md's references to internal 'engines' and 'departments' suggest it might depend on external services or credentials in practice — those are not declared, producing an information gap that could hide a need for privileged access.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system configuration. It is user-invocable and allows autonomous invocation (platform default). There is no evidence it attempts to modify other skills or system-wide settings.
What to consider before installing
This skill is an instruction-only 'security auditor' with broad allowed-tools (filesystem, web-fetch, web-search) and vague runtime steps that mention internal engines and cross-department validation. Before installing or using it: (1) ask the publisher which external/internal services or endpoints the skill will contact and whether any credentials are required; (2) confirm exactly what files or directories the skill will read if you give it filesystem access; (3) if you plan to run it against sensitive code or systems, test it in an isolated sandbox first; (4) consider limiting allowed-tools (disallow filesystem/web-fetch) unless you explicitly trust the skill and have accountability/audit logs; (5) demand source or provenance (who operates 'NEXUS AI Corp' tooling) and a security/privacy policy, and verify the $2/execution pricing and data retention terms. Because the SKILL.md is vague about data handling, do not run this against production or confidential targets until you obtain these clarifications.

Like a lobster shell, security has layers — review code before you run it.

latestvk97860paefxyseagxy344q3mw9855987
13downloads
0stars
1versions
Updated 5h ago
v1.0.0
MIT-0
@shuwanito
latest
Download

Nexus Security Auditor

Capabilities

  • OWASP Top 10 audit
  • CVE scanning
  • Auth/AuthZ review
  • WAF rule generation
  • Security headers analysis

Workflow

  1. Receive task description and target context
  2. Analyze using department-specific engines (cybersecurity)
  3. Generate findings with severity classification
  4. Produce improvement proposals with impact/effort scoring
  5. Cross-validate with synergy departments
  6. Return structured results with confidence scores

Pricing

  • Per-execution: $2.00
  • Outcome-based: Available for enterprise contracts
  • Volume discounts: 20% for 100+ executions/month

Guidelines

  • All outputs include confidence scores and source citations
  • Cross-validation requires minimum 2 independent sources
  • Findings are classified: CRITICAL, HIGH, MEDIUM, LOW, INFO
  • Proposals include impact (1-10), effort (1-10), and priority score

Comments

Loading comments...