ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Enterprise AI Security Controls Assessment

v1.2.0

Assess OT/ICS security posture across 30 controls in 6 principles — Business Driven, Risk Based, Enterprise Wide, Methodical, OT Security Focused, and OT Sec...

0· 153·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd·duplicate of @krishnakumarmahadevan-cmd/ot-security-assessment (1.0.0)
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes an enterprise AI security assessment (domains, scoring, remediation) which aligns with the skill name. However the top-level metadata/description provided to the evaluator ("30 controls in 6 principles") contradicts the SKILL.md (12 domains, 60 controls). Also the skill expects an external assessment API (portal.toolweb.in), which is plausible for this purpose but should have been declared as an external dependency or credential requirement.
!
Instruction Scope
Runtime instructions are instruction-only and call a third-party API (portal.toolweb.in) and expect an API key (X-API-Key or mcp_api_key). The SKILL.md does not instruct the agent to read local files or unrelated environment variables, which is good, but it does direct potentially sensitive organizational data to an external endpoint without declaring how that credential is supplied or scoped.
Install Mechanism
No install spec or code files are present (instruction-only). This minimizes filesystem/write risk; there is no binary download or archive extraction.
!
Credentials
The SKILL.md requires an API key to authenticate to portal.toolweb.in but the skill metadata declares no required environment variables or primary credential. That mismatch is disproportionate: a network-backed assessment tool should explicitly declare how credentials are passed and which env var (or secret) it needs.
Persistence & Privilege
Skill is not marked always:true and requests no system-level config or persistent presence. Autonomous invocation is allowed (platform default) but not combined with elevated privileges here.
What to consider before installing
This appears to be an external API-backed assessment tool, but there are a few red flags to resolve before installing: (1) Ask the publisher to clarify the discrepancy between the initial metadata (30 controls / 6 principles) and the SKILL.md (12 domains / 60 controls). (2) Confirm how the API key should be supplied — demand an explicit required-env declaration (for example, ENTERPRISE_ASSESSMENT_API_KEY) or integration with your secret manager; do not paste org secrets into free-form prompts. (3) Verify the external endpoint (portal.toolweb.in) and the publisher identity (toolweb.in) — check TLS certs, WHOIS, company pages, and references to ensure it's a legitimate vendor. (4) Consider privacy: the skill will transmit organizational security posture data to a third party; test with non-sensitive sample data first and review the vendor's data handling / retention policies and pricing limits. (5) If you need to allow network calls only to approved endpoints, restrict them to the vendor domain and require the vendor to document required headers, scopes, and a least-privilege key. If these clarifications are not provided, treat the skill as untrusted and avoid sending real organizational secrets or sensitive configuration data.

Like a lobster shell, security has layers — review code before you run it.

latestvk975xg5skfx6w3dkegt9bqdfw5837bvb
153downloads
0stars
2versions
Updated 2h ago
v1.2.0
MIT-0
ToolWeb@krishnakumarmahadevan-cmd
latest
Download

Enterprise AI Security Controls Assessment

Assess your organization's AI security posture across 12 enterprise domains — Identity & Access, Data Protection, Prompt Injection Defense, Model Protection, API Security, Agent Permissioning, Output Filtering, Monitoring & Anomaly Detection, Compliance Mapping, Incident Response, Encryption & KMS, and Risk Intelligence. Each domain covers 5 controls (60 total) and produces prioritized remediation guidance.

Usage

{
  "tool": "enterprise_ai_security_controls_assessment",
  "input": {
    "organization_name": "Acme Corp",
    "industry": "Financial Services",
    "ai_maturity": "intermediate",
    "domains_to_assess": ["identity_access", "prompt_injection_defense", "api_security"],
    "current_controls": {
      "identity_access": {
        "mfa_enabled": true,
        "rbac_implemented": false,
        "service_account_rotation": "manual"
      },
      "prompt_injection_defense": {
        "input_validation": "basic",
        "system_prompt_hardening": false,
        "canary_tokens": false
      }
    }
  }
}

Parameters

ParameterTypeRequiredDescription
organization_namestringName of the organization being assessed
industrystringIndustry vertical (e.g., Financial Services, Healthcare, Retail)
ai_maturitystringCurrent AI maturity level: beginner, intermediate, advanced
domains_to_assessarraySubset of domain keys to assess. Omit to assess all 12 domains
current_controlsobjectKey-value map of existing controls per domain (see domain keys below)

Domain Keys

KeyDomain
identity_accessIdentity & Access Control
data_protectionData Protection
prompt_injection_defensePrompt Injection Defense
model_protectionModel Protection
api_securityAPI Security
agent_permissioningAgent Permissioning
output_filteringOutput Filtering
monitoring_anomalyMonitoring & Anomaly Detection
compliance_mappingCompliance Mapping
incident_responseIncident Response
encryption_kmsEncryption & Key Management (KMS)
risk_intelligenceRisk Intelligence

What You Get

  • Domain-by-domain scorecard — maturity rating per domain (Initial / Developing / Defined / Managed / Optimizing)
  • Control gap analysis — which of the 60 controls are missing, partial, or implemented
  • Prioritized remediation roadmap — Quick Wins (0–30 days), Medium-term (30–90 days), Strategic (90+ days)
  • Compliance alignment — mapped to NIST AI RMF, ISO 42001, SOC 2, and GDPR where applicable
  • Executive summary — board-ready summary of AI security posture

Example Output

{
  "organization": "Acme Corp",
  "overall_maturity": "Developing",
  "overall_score": 42,
  "domain_scores": {
    "identity_access": { "score": 60, "maturity": "Defined", "gaps": 2 },
    "prompt_injection_defense": { "score": 20, "maturity": "Initial", "gaps": 4 },
    "api_security": { "score": 55, "maturity": "Developing", "gaps": 2 }
  },
  "top_risks": [
    "No system prompt hardening exposes models to override attacks",
    "RBAC not implemented — lateral movement risk across AI services",
    "No canary token monitoring for prompt exfiltration"
  ],
  "quick_wins": [
    "Enable RBAC on all AI service accounts (3 days)",
    "Deploy input sanitization layer before LLM endpoints (7 days)",
    "Rotate all AI API keys and set expiry policies (1 day)"
  ],
  "compliance_gaps": ["NIST AI RMF: GOVERN-1.1", "ISO 42001: 6.1.2", "SOC 2: CC6.1"]
}

API Reference

Base URL: https://portal.toolweb.in/apis/security/entaisecconass

EndpointMethodDescription
/GETHealth check
/api/ai-security/assessPOSTRun full assessment
/api/ai-security/domainsGETList all 12 domain definitions
/api/ai-security/domain/{domain_key}GETGet details for a specific domain

Authentication: Pass your API key as X-API-Key header or mcp_api_key argument via MCP.

Pricing

PlanDaily LimitMonthly LimitPrice
Free5 / day50 / month$0
Developer20 / day500 / month$39
Professional200 / day5,000 / month$99
Enterprise100,000 / day1,000,000 / month$299

About

ToolWeb.in — 200+ security APIs, CISSP & CISM certified, built for enterprise AI security practitioners.

Platforms: Pay-per-run · API Gateway · MCP Server · OpenClaw · RapidAPI · YouTube

Comments

Loading comments...