ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WordPress Security Scanner

v1.0.0

Scan WordPress sites for security vulnerabilities, misconfigurations, and potential threats.

0· 83·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md advertises an automated WordPress scanner and lists external endpoints (toolweb.in, api.mkkpro.com) and pricing, but the skill contains no implementation code and the openapi.json has no server URL or auth scheme. It is unclear how the agent will perform scans (local logic vs. remote API) and no credentials or billing hooks are declared despite the pricing/options in the documentation.
Instruction Scope
Instructions are narrowly scoped to a POST /scan request and example request/response shapes. They do not instruct reading local files or other system state, but they also do not specify which host to call or whether/how to authenticate. The SKILL.md references external API docs and routes, which implies outbound network calls to third-party services.
Install Mechanism
No install spec and no code files to execute are included (instruction-only), so nothing will be written to disk by an installer. This minimizes local install risk, but runtime network calls remain possible.
!
Credentials
The skill declares no required environment variables or primary credential, yet its documentation and external endpoints suggest a third-party API that is likely gated by API keys or billing. The absence of declared auth or required secrets is an inconsistency — if an API key is needed the skill should declare it; if not, the docs should explain how unauthenticated use is allowed.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. This is the platform default and appropriate for this kind of skill. The skill does not request permanent presence or modification of other skills.
What to consider before installing
This skill appears to be a thin wrapper around a third-party WordPress scanning API but omits critical operational details (server URL in the OpenAPI, authentication, and how billing is handled). Before installing or invoking it: 1) Verify the publisher and reputation of the external API (toolweb.in / api.mkkpro.com). 2) Confirm whether an API key or account is required and whether the skill will prompt you to supply credentials—do not provide secrets unless you trust the provider. 3) Understand data flow: scans will involve sending target URLs (and possibly response data) to an external service—do not send internal/private site URLs or credentials. 4) Ensure you have permission to scan any target site (unauthorized scanning can be illegal). 5) Prefer skills that declare required env vars or servers clearly; ask the author to add explicit server/auth info and privacy/billing details before use. If you cannot verify the external API or publisher, avoid installing or use only in a controlled, non-production test environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97at430wgh96dh4fwhw8m6ybd83evjm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments