Skill Trust Decision

NIST CSF Mapper

Name: NIST CSF Mapper Trust Review Report
Item: NIST CSF Mapper
Rating: 55
Author: ClawSafe

纯文档型MCP工具，强制将用户公司安全信息发送到外部商业API，存在数据外传风险但符合声明用途

Install decision first Source: Manual upload Scanned: Apr 5, 2026

Files 1

Artifacts 7

Violations 1

Findings 3

Most direct threat evidence

Why this conclusion was reached

1/4 dimensions flagged

Block

Declared vs actual capability

1 undeclared or violating capabilities were inferred.

Review

Hidden execution and egress

7 lower-risk artifacts were extracted and still need context.

Pass

Attack chain and severe findings

There is no explicit malicious chain in the report.

Review

Dependencies and supply chain hygiene

Dependency information is incomplete, so supply-chain confidence stays limited.

What drove the risk score up

强制外部API数据传输 +20

company_size/industry/current_tools/regulatory_requirements等企业敏感信息发送至portal.toolweb.in

API密钥要求 +15

需要X-API-Key认证，用户需提供凭证给第三方服务

无代码执行 +-10

纯文档型技能，无本地代码执行能力

数据用途不明确 +10

文档未说明接收数据的存储、保留或二次使用政策

Most important evidence

Medium Data Exfil

强制外部API数据传输企业敏感信息

技能将用户输入的company_size、industry、current_tools、regulatory_requirements等企业安全信息通过POST请求发送至portal.toolweb.in服务器，包括安全工具配置、监管合规要求等敏感业务数据

SKILL.md:79

评估数据外传的必要性；考虑使用本地部署的NIST CSF映射工具替代；确认第三方服务的数据处理符合GDPR等行业合规要求

Medium Supply Chain

依赖外部商业API服务

技能功能完全依赖toolweb.in的外部API服务，无API可用时功能失效；服务条款和数据处理政策未在文档中明确说明

SKILL.md:75

评估对外部服务的依赖风险；考虑备选方案或本地部署；审查服务商的SLA和数据安全承诺

Low Doc Mismatch

API密钥处理方式不明确

文档说明API密钥通过X-API-Key header传递，但未说明密钥是否在客户端本地处理、是否会被记录或缓存

SKILL.md:89

确认API密钥的安全处理流程；避免在日志中记录密钥；考虑使用环境变量而非硬编码

Declared capability vs actual capability

Filesystem Pass

Declared NONE

→

Inferred NONE

SKILL.md - 无文件操作声明

Network Block

Declared READ

→

Inferred WRITE

SKILL.md:79 - 向https://portal.toolweb.in发送POST请求

Shell Pass

Declared NONE

→

Inferred NONE

SKILL.md - 无shell执行声明

Environment Pass

Declared NONE

→

Inferred NONE

SKILL.md - 无环境变量访问声明

Skill Invoke Pass

Declared NONE

→

Inferred NONE

SKILL.md - 无子技能调用

Clipboard Pass

Declared NONE

→

Inferred NONE

SKILL.md - 无剪贴板操作

Browser Pass

Declared NONE

→

Inferred NONE

SKILL.md - 无浏览器自动化

Database Pass

Declared NONE

→

Inferred NONE

SKILL.md - 无数据库操作

Suspicious artifacts and egress

Medium External URL

https://portal.toolweb.in/apis/compliance/nist-csf-mapper

SKILL.md:119

Medium External URL

https://toolweb.in

SKILL.md:146

Medium External URL

https://portal.toolweb.in

SKILL.md:147

Medium External URL

https://hub.toolweb.in

SKILL.md:148

Medium External URL

https://toolweb.in/openclaw/

SKILL.md:149

Medium External URL

https://rapidapi.com/user/mkrishna477

SKILL.md:150

Medium External URL

https://youtube.com/@toolweb-009

SKILL.md:151

Dependencies and supply chain

There are no structured dependency warnings.

File composition

1 files · 151 lines

Markdown 1 files · 151 lines

Files of concern · 1

SKILL.md Markdown · 151 lines

强制外部API数据传输企业敏感信息 · 依赖外部商业API服务 · API密钥处理方式不明确 · https://portal.toolweb.in/apis/compliance/nist-csf-mapper · https://toolweb.in · https://portal.toolweb.in · https://hub.toolweb.in · https://toolweb.in/openclaw/ · https://rapidapi.com/user/mkrishna477 · https://youtube.com/@toolweb-009

Security positives

纯文档型技能，无本地代码执行能力

无文件、Shell、环境变量等系统资源访问

功能声明清晰，与实际行为一致

无混淆代码或隐藏执行逻辑