container-runtime-threat-model 安全扫描报告 — 低风险 | ClawSafe

22 /100

container-runtime-threat-model

Generate container runtime threat models analyzing attack surfaces across container components, images, privileges, network exposure, and security controls. Use when threat modeling containerized applications, Docker/containerd security review, container escape risk assessment, STRIDE analysis for containers, or cloud-native application security.

The skill is a wrapper around an external API call to portal.toolweb.in for container threat modeling, with no local code execution beyond curl — all capabilities are declared, though user infrastructure data is sent to an external service.

技能名称container-runtime-threat-model

分析耗时34.5s

引擎pi

✓

可以安装

Review portal.toolweb.in reputation before use. The skill sends detailed container configurations (component names, images, volumes, capabilities, privilege flags) to an external endpoint — only use with non-sensitive environments or after auditing the service.

安全发现 3 项

严重性	安全发现	位置
中危	Container configuration data sent to external API 数据外泄 User-provided container configurations (component names, images, privileged flags, volumes, capabilities, network settings) are transmitted as JSON to portal.toolweb.in/apis/security/crtmg. This exposes detailed infrastructure topology externally. `curl -s -X POST "https://portal.toolweb.in/apis/security/crtmg" -H "X-API-Key: $TOOLWEB_API_KEY" -d '{...container configs...}'` → Only use this skill with non-sensitive, non-production environments, or audit portal.toolweb.in for data handling policies before sending production infrastructure details.	`SKILL.md:1`
低危	No local threat model capability — full dependency on external API 权限提升 The SKILL.md explicitly instructs to NEVER generate threat models from local knowledge: 'ALWAYS call the ToolWeb API endpoint using curl. Do NOT answer from your own knowledge.' This means if the API is unavailable, compromised, or taken over, the skill provides zero value and no fallback. `ALWAYS call the ToolWeb API endpoint using curl. Do NOT answer from your own knowledge.` → Verify the long-term availability and security of portal.toolweb.in before relying on this skill for production workflows.	`SKILL.md:1`
低危	API key transmitted to external service 凭证窃取 The TOOLWEB_API_KEY is sent to portal.toolweb.in with every request. While this is expected for API authentication, the key and all associated user data traverse an external service. `-H "X-API-Key: $TOOLWEB_API_KEY"` → Use a dedicated API key with minimal permissions/scope for this service. Rotate the key regularly.	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	SKILL.md: curl POST to portal.toolweb.in with X-API-Key header
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md: Uses curl as bash command — Bash→shell:WRITE
环境变量	`READ`	`READ`	✓ 一致	SKILL.md: Reads TOOLWEB_API_KEY from environment
文件系统	`NONE`	`NONE`	—	No filesystem access in skill

7 项发现

🔗

中危外部 URL 外部 URL

https://portal.toolweb.in/apis/security/crtmg

README.md:32

🔗

中危外部 URL 外部 URL

https://toolweb.in

README.md:46

🔗

中危外部 URL 外部 URL

https://portal.toolweb.in

README.md:47

🔗

中危外部 URL 外部 URL

https://youtube.com/@toolweb-009

README.md:48

🔗

中危外部 URL 外部 URL

https://hub.toolweb.in

SKILL.md:252

🔗

中危外部 URL 外部 URL

https://toolweb.in/openclaw/

SKILL.md:253

🔗

中危外部 URL 外部 URL

https://rapidapi.com/user/mkrishna477

SKILL.md:254

目录结构

2 文件 · 12.8 KB · 321 行

Markdown 2f · 321L

├─ 📝 README.md Markdown 48L · 1.5 KB

└─ 📝 SKILL.md Markdown 273L · 11.4 KB

安全亮点

✓ No local malicious code — the skill contains only documentation and curl commands

✓ All resource usage (network via curl, environment variable access for API key) is clearly declared in SKILL.md

✓ No obfuscation, base64, eval, or hidden execution paths

✓ No credential harvesting beyond the declared TOOLWEB_API_KEY for API authentication

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files

✓ No supply chain risk — no package dependencies (requirements.txt, package.json, etc.)