ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Suspicious File Scanner

v1.0.0

Analyzes uploaded files to detect suspicious characteristics and potential security threats.

0· 85·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and the included OpenAPI schema align: the skill is an instruction-only wrapper describing a file-scanning API (POST /scan-file). There are no unrelated binaries, env vars, or installs requested, so the declared capability is consistent with requirements.
!
Instruction Scope
Runtime instructions explicitly tell the agent (and users) to upload files via multipart/form-data to an external endpoint (api.mkkpro.com). For a scanner this is expected, but the SKILL.md gives no details about authentication, retention, privacy, encryption, or allowed data types; it therefore instructs transmission of potentially sensitive files to an external service without safeguards.
Install Mechanism
No install spec and no code files — the skill is instruction-only, which minimizes local code execution risk. There is nothing being downloaded or written to disk by an installer.
Credentials
The skill requires no environment variables or credentials. However, the pricing and documentation references imply a third-party service that may require account/auth in practice; the SKILL.md does not explain authentication or access controls. The absence of declared credentials reduces immediate risk but also omits how the service enforces usage and protects uploaded data.
Persistence & Privilege
always:false (normal). Autonomous invocation is allowed by default — combined with the instruction to upload files to an external endpoint, autonomous use increases the blast radius because an agent could send files without explicit user confirmation. This is a contextual risk rather than a direct misconfiguration.
What to consider before installing
This skill appears to do what it says (scan files) but it transmits uploaded files to an external service (api.mkkpro.com/toolweb.in) with no authentication or privacy details in the SKILL.md. Before installing: (1) Do not upload sensitive or proprietary files unless you verify the vendor and their privacy/retention policy. (2) Confirm whether the API requires an API key or account and how data is stored/retained/encrypted. (3) Test with harmless sample files first. (4) Prefer scanning services you control or that provide on-premise agents if data confidentiality matters. (5) If possible, disable autonomous invocation or require user confirmation before the agent sends files externally. (6) Verify TLS endpoints and domain ownership (toolweb.in / api.mkkpro.com) and review the provider's terms and privacy policy.

Like a lobster shell, security has layers — review code before you run it.

latestvk974nykccrqgdb0kk2tg9ckae983anjf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments