ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cisa Alert Monitor

v1.0.0

Free API to monitor CISA Known Exploited Vulnerabilities (KEV). No subscription. Track actively exploited CVEs with government alerts, due dates, and priorit...

0· 9·0 current·0 all-time
by@ntriq-gh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: the code fetches the CISA KEV feed, optionally uses NVD and MITRE ATT&CK data to enrich CVEs, and produces prioritized outputs. The Apify actor dependency is consistent with the described Apify actor.
Instruction Scope
Runtime instructions and code limit actions to fetching public threat feeds (cisa.gov, nvd.nist.gov, GitHub MITRE data), computing scores, caching results in the actor Key-Value store, pushing results, and attempting an Actor.charge for pay-per-use. The charge/monetization step is important and may incur costs; instructions do not read unrelated local files or environment variables.
!
Install Mechanism
This is marked instruction-only in the registry but the package includes Node source and a package-lock with many dependencies. There is no install spec provided — running the code will pull/install dependencies (apify/crawlee ecosystem). The dependency tree is large and includes packages (e.g., event-stream via transitive deps, and an odd-scoped package @sec-ant/readable-stream) that increase risk and deserve review.
Credentials
The skill requests no declared environment variables, which matches the code. README mentions an optional NVD API key for rate limits (input parameter or env); that's reasonable but the registry did not declare required envs. The actor calls Actor.charge (pay-per-use) — this is not a secret but is a capability that will attempt to bill; users should be aware and verify billing terms.
Persistence & Privilege
always:false and normal autonomous invocation. The skill caches fetched data in its own Apify key-value store (Actor.getValue/Actor.setValue) which is expected. It does not request or modify other skills' configs or system-wide settings.
Scan Findings in Context
[pre-scan-injection-signals-none] expected: Static pre-scan reported no injection signals; that's consistent with the code being straightforward network fetch + scoring logic.
[dependency-event-stream-present] unexpected: package-lock shows event-stream (transitive). Historically certain versions of event-stream were exploited; presence itself is not necessarily malicious but increases the attack surface and should be reviewed/audited before installation.
[unfamiliar-homepage-domain] unexpected: Homepage is a non-obvious domain (https://x402.ntriq.co.kr). That doesn't prove malice but is worth verifying against the publisher/owner identity and Apify listing to ensure you're installing the intended actor.
What to consider before installing
Key things to consider before installing: - This actor will fetch public feeds (CISA, NVD, MITRE) and cache results; that behavior matches the description. - It is pay-per-use: the code calls Actor.charge — confirm pricing, billing authority, and whether you want charges enabled. Expect an automatic charge per analysis as documented ($0.05 per analysis in README). - The package-lock shows a large dependency tree (Apify/Crawlee ecosystem) including transitive packages that have had security incidents in the past. If you run this in a sensitive environment, audit the lockfile and dependencies or run in a sandbox. - Verify publisher identity and the homepage/Apify listing (owner ID and x402.ntriq.co.kr) before trusting billing and data handling. - If you need stronger assurance: request the publisher to provide a minimal install/run checklist, a signed release or a vetted Apify actor listing, or run the code in an isolated environment and inspect network calls and charges during a test run. Overall: functionally coherent, but review dependency/author identity and be explicit about accepting pay-per-use charges before enabling this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk976gd246m66xjqcpwjc0y8kfx842s5c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Cisa Alert Monitor

Free API to monitor CISA Known Exploited Vulnerabilities (KEV). No subscription. Track actively exploited CVEs with government alerts, due dates, and priority guidance. Government data, pay-per-use.

Usage

Available on Apify Store and via x402 micropayments.

Service Catalog

curl https://x402.ntriq.co.kr/services

Features

  • AI-powered analysis
  • JSON structured output
  • Pay-per-use pricing

Powered by

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…