ClawHub

Cybersec Helper

v1.0.0

Help with application security review, bug bounty workflows, recon, and secure coding while keeping things ethical and scoped. Think critically, use real sources only, and reference OWASP.

0· 1.5k·3 current·3 all-time
by@mcpcentral
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, and SKILL.md are consistent: the skill is an advisory/security-review assistant and asks for scope, threat model, and authoritative sources (OWASP, CWE, CVE). No binaries, env vars, or installs are requested, which is appropriate for a guidance-only skill.
Instruction Scope
SKILL.md stays within an advisory scope (asks to clarify scope, refuse illegal actions, prefer lab repros, cite OWASP/CWE). It does mention optional future Notion integration but does not request Notion credentials or declare how they would be used — that should be explicit if implemented. Overall the runtime instructions do not ask the agent to read local files or fetch credentials on their own.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest-risk delivery mechanism. Nothing on-disk will be created by an installer.
Credentials
No required environment variables, credentials, or config paths are declared — proportional to a guidance-only security skill. The mention of Notion integration is conditional and currently not requesting any secrets, but if implemented it should declare required env vars and scopes.
!
Persistence & Privilege
The skill is flagged always: true (and metadata embeds always:true) but its own SKILL.md restricts usage to security-relevant cases. always:true grants the skill permanent inclusion in every agent run and increases the chance it will be invoked in unrelated contexts; combined with the ability to advise on recon/exploitation (even if instructions say to be ethical), this raises the blast radius and deserves caution. Autonomous invocation is allowed by default; that alone is normal, but always:true without justification is the main issue.
What to consider before installing
This skill's advice and source constraints look reasonable for a security helper, but it is configured to be always active (always:true). That means it will be present in every agent session even when security help is not requested — increasing the chance of unneeded or inappropriate behavior. Before installing: 1) Remove or justify always:true; prefer user-invokable or conditional activation so it only runs when the user asks for security help. 2) If you enable Notion or any other integration later, require explicit credential env vars with minimal scopes and document them in the skill manifest. 3) Limit the agent's ability to perform active reconnaissance or network scans autonomously — keep the skill advisory-only unless you explicitly trust the agent to run actions. 4) Monitor invocation/audit logs for unexpected uses and review the skill's metadata if future code or install specs appear. If you want, I can suggest a safer manifest change (e.g., remove always:true and add explicit optional env entries for Notion with required scopes).

Like a lobster shell, security has layers — review code before you run it.

latestvk9797nk3ktzjgazz4g1xf5qe3n80rqk5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis

Comments