privacy-solution-scorecard 安全扫描报告 — 低风险 | ClawSafe

15 /100

privacy-solution-scorecard

Evaluate and compare privacy solution vendors with a weighted scorecard across 12 criteria

A documentation-only privacy vendor scorecard skill that makes declared curl-based API calls to portal.toolweb.in using an environment variable API key.

技能名称privacy-solution-scorecard

分析耗时29.4s

引擎pi

✓

可以安装

Approve for use. The skill is purely declarative (SKILL.md + README.md only) with no executable scripts. Network access and the TOOLWEB_API_KEY environment variable are declared in SKILL.md. No hidden functionality, credential exfiltration, or suspicious patterns detected.

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No filesystem access detected
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:45 - POST to portal.toolweb.in/apis/compliance/privacy-scorecard via cu…
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md:47 - curl command uses -X POST flags; limited to API calls only, no arb…
环境变量	`READ`	`READ`	✓ 一致	SKILL.md:12 - reads TOOLWEB_API_KEY for API authentication only
技能调用	`NONE`	`NONE`	—	No cross-skill invocation detected
剪贴板	`NONE`	`NONE`	—	No clipboard access detected
浏览器	`NONE`	`NONE`	—	No browser access detected
数据库	`NONE`	`NONE`	—	No database access detected

7 项发现

🔗

中危外部 URL 外部 URL

https://toolweb.in

README.md:60

🔗

中危外部 URL 外部 URL

https://portal.toolweb.in

SKILL.md:5

🔗

中危外部 URL 外部 URL

https://portal.toolweb.in/apis/compliance/privacy-scorecard

SKILL.md:45

🔗

中危外部 URL 外部 URL

https://hub.toolweb.in

SKILL.md:218

🔗

中危外部 URL 外部 URL

https://toolweb.in/openclaw/

SKILL.md:219

🔗

中危外部 URL 外部 URL

https://rapidapi.com/user/mkrishna477

SKILL.md:220

🔗

中危外部 URL 外部 URL

https://youtube.com/@toolweb-009

SKILL.md:221

目录结构

2 文件 · 10.7 KB · 297 行

Markdown 2f · 297L

├─ 📝 README.md Markdown 60L · 1.4 KB

└─ 📝 SKILL.md Markdown 237L · 9.3 KB

安全亮点

✓ No executable scripts or code files present — purely declarative SKILL.md

✓ Network access (curl to portal.toolweb.in) is explicitly declared in metadata

✓ TOOLWEB_API_KEY environment variable access is declared and scoped to authentication only

✓ curl binary requirement declared in metadata

✓ No credential harvesting or exfiltration patterns detected

✓ No base64 encoding, obfuscation, or anti-analysis techniques

✓ No sensitive path access (~/.ssh, ~/.aws, .env files)

✓ No supply chain risk (no dependencies, package files, or pinned versions)

✓ No persistence mechanisms (no cron, startup hooks, or backdoor installation)

✓ No prompt injection or hidden instructions detected

✓ No remote script execution (curl|bash, wget|sh)

✓ External data exfiltration is limited to the declared API call and necessary for the stated function