k8s-security-posture-scorecard 安全扫描报告 — 低风险 | ClawSafe

15 /100

k8s-security-posture-scorecard

Assess Kubernetes cluster security posture across 30 controls covering RBAC, workload security, network policies, IaC, runtime monitoring, and secrets management.

Documentation-only skill that orchestrates API calls to an external service. No malicious code, scripts, or hidden functionality. Minor transparency concern: user K8s configuration data is sent to third-party service.

技能名称k8s-security-posture-scorecard

分析耗时30.4s

引擎pi

✓

可以安装

Safe to use. Users should be aware that their K8s cluster configuration data (30 security controls) will be sent to portal.toolweb.in. Verify the service's privacy policy if handling highly sensitive infrastructure.

安全发现 2 项

严重性	安全发现	位置
低危	Mandatory external API dependency 文档欺骗 Skill cannot function without external API calls. Users are instructed not to generate scorecards from knowledge - this creates a hard dependency on the third-party service. `ALWAYS call the ToolWeb API endpoint using curl. Do NOT answer from your own knowledge.` → Consider adding a fallback mode that provides basic guidance without API access, or clearly disclose this is a paid service wrapper.	`SKILL.md:1`
提示	K8s configuration data sent to third party 数据外泄 User-provided cluster security configuration (30 controls) is transmitted to portal.toolweb.in. While not credentials themselves, this is infrastructure-sensitive data. `curl -s -X POST https://portal.toolweb.in/apis/security/k8scorecard` → Users should review the service's data handling policies before using in high-security environments.	`SKILL.md:85`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file operations in skill
网络访问	`READ`	`READ`	✓ 一致	curl POST to portal.toolweb.in documented in SKILL.md
命令执行	`NONE`	`NONE`	—	curl usage via bash documented; no arbitrary shell execution
环境变量	`READ`	`READ`	✓ 一致	TOOLWEB_API_KEY access declared in SKILL.md metadata
技能调用	`NONE`	`NONE`	—	No skill chaining
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

7 项发现

🔗

中危外部 URL 外部 URL

https://portal.toolweb.in/apis/security/k8scorecard

README.md:32

🔗

中危外部 URL 外部 URL

https://toolweb.in

README.md:46

🔗

中危外部 URL 外部 URL

https://portal.toolweb.in

README.md:47

🔗

中危外部 URL 外部 URL

https://youtube.com/@toolweb-009

README.md:48

🔗

中危外部 URL 外部 URL

https://hub.toolweb.in

SKILL.md:237

🔗

中危外部 URL 外部 URL

https://toolweb.in/openclaw/

SKILL.md:238

🔗

中危外部 URL 外部 URL

https://rapidapi.com/user/mkrishna477

SKILL.md:239

目录结构

2 文件 · 12.6 KB · 306 行

Markdown 2f · 306L

├─ 📝 README.md Markdown 48L · 1.5 KB

└─ 📝 SKILL.md Markdown 258L · 11.1 KB

安全亮点

✓ No executable scripts or code files present

✓ No credential theft patterns (API key used only for auth, not exfiltrated)

✓ All network operations explicitly documented in SKILL.md

✓ No base64 encoding, obfuscation, or anti-analysis techniques

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No reverse shell, C2, or data theft patterns

✓ Environment variable access is declared and scoped to TOOLWEB_API_KEY only