k8s-security-posture-scorecard Security Report — Low Risk | ClawSafe

15 /100

k8s-security-posture-scorecard

Assess Kubernetes cluster security posture across 30 controls covering RBAC, workload security, network policies, IaC, runtime monitoring, and secrets management.

Documentation-only skill that orchestrates API calls to an external service. No malicious code, scripts, or hidden functionality. Minor transparency concern: user K8s configuration data is sent to third-party service.

Skill Namek8s-security-posture-scorecard

Duration30.4s

Enginepi

✓

Safe to install

Safe to use. Users should be aware that their K8s cluster configuration data (30 security controls) will be sent to portal.toolweb.in. Verify the service's privacy policy if handling highly sensitive infrastructure.

Findings 2 items

Severity	Finding	Location
Low	Mandatory external API dependency Doc Mismatch Skill cannot function without external API calls. Users are instructed not to generate scorecards from knowledge - this creates a hard dependency on the third-party service. `ALWAYS call the ToolWeb API endpoint using curl. Do NOT answer from your own knowledge.` → Consider adding a fallback mode that provides basic guidance without API access, or clearly disclose this is a paid service wrapper.	`SKILL.md:1`
Info	K8s configuration data sent to third party Data Exfil User-provided cluster security configuration (30 controls) is transmitted to portal.toolweb.in. While not credentials themselves, this is infrastructure-sensitive data. `curl -s -X POST https://portal.toolweb.in/apis/security/k8scorecard` → Users should review the service's data handling policies before using in high-security environments.	`SKILL.md:85`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file operations in skill
Network	`READ`	`READ`	✓ Aligned	curl POST to portal.toolweb.in documented in SKILL.md
Shell	`NONE`	`NONE`	—	curl usage via bash documented; no arbitrary shell execution
Environment	`READ`	`READ`	✓ Aligned	TOOLWEB_API_KEY access declared in SKILL.md metadata
Skill Invoke	`NONE`	`NONE`	—	No skill chaining
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

7 findings

🔗

Medium External URL 外部 URL

https://portal.toolweb.in/apis/security/k8scorecard

README.md:32

🔗

Medium External URL 外部 URL

https://toolweb.in

README.md:46

🔗

Medium External URL 外部 URL

https://portal.toolweb.in

README.md:47

🔗

Medium External URL 外部 URL

https://youtube.com/@toolweb-009

README.md:48

🔗

Medium External URL 外部 URL

https://hub.toolweb.in

SKILL.md:237

🔗

Medium External URL 外部 URL

https://toolweb.in/openclaw/

SKILL.md:238

🔗

Medium External URL 外部 URL

https://rapidapi.com/user/mkrishna477

SKILL.md:239

File Tree

2 files · 12.6 KB · 306 lines

Markdown 2f · 306L

├─ 📝 README.md Markdown 48L · 1.5 KB

└─ 📝 SKILL.md Markdown 258L · 11.1 KB

Security Positives

✓ No executable scripts or code files present

✓ No credential theft patterns (API key used only for auth, not exfiltrated)

✓ All network operations explicitly documented in SKILL.md

✓ No base64 encoding, obfuscation, or anti-analysis techniques

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No reverse shell, C2, or data theft patterns

✓ Environment variable access is declared and scoped to TOOLWEB_API_KEY only

Scan Report

Findings 2 items

File Tree

Security Positives