ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vendor Risk Assessment

v1.0.0

Assess third-party vendor risk for AI and SaaS products. Evaluates security posture, data handling, compliance, financial stability, and operational resilien...

0· 438·0 current·0 all-time
by@1kalin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and SKILL.md focus on researching and scoring vendors across security, privacy, compliance, financial, operational, and contractual dimensions. There are no declared env vars, binaries, or install steps that would be unrelated to that research task.
Instruction Scope
The runtime instructions direct the agent to 'research' the vendor (website, certifications, status pages, breach history, Crunchbase/LinkedIn, customer reviews). That is consistent with the purpose, but the guidance is open-ended: it implicitly requires web access and judgement about what sources to trust. It does not instruct the agent to read local files, access unspecified credentials, or transmit data to unexpected endpoints, but the open-ended research step could lead an agent to contact external services or include harvested public information in reports.
Install Mechanism
Instruction-only skill with no install spec, no code files, and nothing will be written to disk by the skill itself. This is the lowest-risk install profile.
Credentials
No environment variables, credentials, or config paths are required. The assessment relies on public research and user-supplied vendor details, which is proportionate to the stated functionality.
Persistence & Privilege
always is false and the skill does not request permanent system presence or modify other skills. Model invocation is allowed by default (normal for skills) but not combined with any additional privileged access.
Assessment
This skill appears coherent and limited to vendor research/reporting. Before installing or using it, consider: (1) Do not paste or upload confidential vendor contracts, credentials, or screenshots containing secrets into the agent — only provide non-sensitive vendor metadata. (2) The agent will perform open-ended web research (public sites, Crunchbase/LinkedIn, status pages), so confirm you are comfortable with public-source queries. (3) Verify any critical findings by obtaining vendor-supplied artifacts (e.g., SOC2 report) directly rather than relying solely on automated summaries. (4) If you need the agent to fetch private documents, require explicit controls (scoped, temporary credentials) and audit logging. Overall this skill is internally consistent with its purpose, but treat outputs as advisory and validate high-impact decisions with primary evidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk974pgv7df61m2ahgq11vne2c181rky2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments