Skill Trust Decision

k8s-incident-response-playbook

Name: k8s-incident-response-playbook Trust Review Report
Item: k8s-incident-response-playbook
Rating: 48
Author: ClawSafe

Skill is a legitimate K8s IR playbook generator but exhibits mandatory external API dependency with undeclared sensitive data exfiltration, opaque revenue generation, and undocumented shell usage for credential-bearing requests.

Install decision first Source: Manual upload Scanned: Apr 4, 2026

Files 2

Artifacts 7

Violations 1

Findings 4

Most direct threat evidence

User invokes skill for K8s incident response Entry · SKILL.md

Skill collects sensitive incident data: cluster_name, namespace, workload, IOCs, security tooling configs gathering · SKILL.md

POSTs all incident data plus API key to portal.toolweb.in Exfiltration · SKILL.md

Why this conclusion was reached

2/4 dimensions flagged

Block

Declared vs actual capability

1 undeclared or violating capabilities were inferred.

Review

Hidden execution and egress

7 lower-risk artifacts were extracted and still need context.

Block

Attack chain and severe findings

The report includes 4 attack-chain steps and 0 severe findings.

Review

Dependencies and supply chain hygiene

Dependency information is incomplete, so supply-chain confidence stays limited.

Attack Chain

User invokes skill for K8s incident response

Entry · SKILL.md:1

Skill collects sensitive incident data: cluster_name, namespace, workload, IOCs, security tooling configs

gathering · SKILL.md:37

POSTs all incident data plus API key to portal.toolweb.in

Exfiltration · SKILL.md:59

Third party (toolweb.in) receives operational intelligence; revenue generated per call

Impact · SKILL.md:20

What drove the risk score up

Mandatory external API with revenue motive +20

Skill requires calling portal.toolweb.in; explicitly states billing per call

Undeclared sensitive data exfiltration +20

Cluster names, IOCs, security tooling configs, namespace/workload IDs sent to external API without privacy notice

shell:WRITE not declared in allowed-tools +10

Executes curl via bash but only declares bins:[curl] in metadata

Documentation obscures mandatory API dependency +5

'ALWAYS call the API' with no opt-out; no local fallback disclosed

Most important evidence

Medium Data Exfil

Sensitive incident data transmitted to external API

User-provided K8s incident details including cluster names, namespaces, workload IDs, IOCs, and security tooling configurations (has_falco, has_siem, etc.) are sent to portal.toolweb.in. This operational intelligence could reveal internal infrastructure details to an unknown third party.

SKILL.md:59

Add explicit data handling disclosure. Consider local playbook generation as fallback.

Medium Doc Mismatch

Mandatory API dependency with undisclosed revenue motive

Skill explicitly states 'ALWAYS call the ToolWeb API' and 'Do NOT generate your own playbook.' Combined with 'Every successful API call is tracked for billing — this is how the skill creator earns revenue', this reveals the primary purpose is monetization, not user benefit.

SKILL.md:20

Disclose that the skill is a paid service wrapper. Provide opt-in/opt-out for local generation.

Low Priv Escalation

shell:WRITE not declared in allowed-tools

Skill executes curl commands via bash/shell but metadata only declares bins:[curl]. Shell execution capability is not explicitly mapped in the declared allowed-tools.

SKILL.md:9

Ensure shell:WRITE is properly declared if curl execution via bash is intended.

Low Supply Chain

External dependency on toolweb.in infrastructure

Skill is entirely dependent on portal.toolweb.in for functionality. No offline/local capability. Service availability, data retention, and security posture of the external service are unknown.

SKILL.md:25

Consider adding local playbook generation capability for offline use.

Declared capability vs actual capability

Network Pass

Declared READ

→

Inferred WRITE

SKILL.md:POST to portal.toolweb.in with user credentials and incident data

Shell Block

Declared NONE

→

Inferred WRITE

SKILL.md:executes curl -X POST via bash; shell:WRITE not declared

Environment Pass

Declared READ

→

Inferred READ

SKILL.md:metadata.env reads TOOLWEB_API_KEY

Suspicious artifacts and egress

Medium External URL

https://portal.toolweb.in/apis/security/k8irpg

README.md:36

Medium External URL

https://toolweb.in

README.md:50

Medium External URL

https://portal.toolweb.in

README.md:51

Medium External URL

https://youtube.com/@toolweb-009

README.md:52

Medium External URL

https://hub.toolweb.in

SKILL.md:238

Medium External URL

https://toolweb.in/openclaw/

SKILL.md:239

Medium External URL

https://rapidapi.com/user/mkrishna477

SKILL.md:240

Dependencies and supply chain

There are no structured dependency warnings.

File composition

2 files · 311 lines

Markdown 2 files · 311 lines

Files of concern · 2

SKILL.md Markdown · 259 lines

Sensitive incident data transmitted to external API · Mandatory API dependency with undisclosed revenue motive · shell:WRITE not declared in allowed-tools · External dependency on toolweb.in infrastructure · https://hub.toolweb.in · https://toolweb.in/openclaw/ · https://rapidapi.com/user/mkrishna477

README.md Markdown · 52 lines

https://portal.toolweb.in/apis/security/k8irpg · https://toolweb.in · https://portal.toolweb.in · https://youtube.com/@toolweb-009

Security positives

No credential theft observed beyond expected API key usage

No reverse shell, C2, or direct malicious code execution

curl usage is documented (bins:curl declared)

API key is environment-variable based, not hardcoded

No base64-encoded payloads or obfuscation detected

No access to ~/.ssh, ~/.aws, .env, or other sensitive local paths