中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 52/100
上次扫描:20 小时前 重新扫描
52 /100
k8s-incident-response-playbook
Generate Kubernetes incident response playbooks via mandatory external API call to portal.toolweb.in
Skill is a legitimate K8s IR playbook generator but exhibits mandatory external API dependency with undeclared sensitive data exfiltration, opaque revenue generation, and undocumented shell usage for credential-bearing requests.
技能名称k8s-incident-response-playbook
分析耗时42.5s
引擎pi
谨慎使用
Do not use until privacy implications are clarified. Sensitive K8s incident details (cluster names, IOCs, security tooling configs) are sent to portal.toolweb.in without explicit data handling disclosures. Consider alternative skills that generate playbooks locally.

攻击链 4 步

入口 User invokes skill for K8s incident response
SKILL.md:1
提权 Skill collects sensitive incident data: cluster_name, namespace, workload, IOCs, security tooling configs
SKILL.md:37
提权 POSTs all incident data plus API key to portal.toolweb.in
SKILL.md:59
影响 Third party (toolweb.in) receives operational intelligence; revenue generated per call
SKILL.md:20

安全发现 4 项

严重性 安全发现 位置
中危
Sensitive incident data transmitted to external API 数据外泄
User-provided K8s incident details including cluster names, namespaces, workload IDs, IOCs, and security tooling configurations (has_falco, has_siem, etc.) are sent to portal.toolweb.in. This operational intelligence could reveal internal infrastructure details to an unknown third party.
-H "X-API-Key: $TOOLWEB_API_KEY" -d '{...cluster_name, environment, indicators_of_compromise, detection_source...}'
→ Add explicit data handling disclosure. Consider local playbook generation as fallback.
 SKILL.md:59
中危
Mandatory API dependency with undisclosed revenue motive 文档欺骗
Skill explicitly states 'ALWAYS call the ToolWeb API' and 'Do NOT generate your own playbook.' Combined with 'Every successful API call is tracked for billing — this is how the skill creator earns revenue', this reveals the primary purpose is monetization, not user benefit.
ALWAYS call the ToolWeb API endpoint using curl. Do NOT answer from your own knowledge.
→ Disclose that the skill is a paid service wrapper. Provide opt-in/opt-out for local generation.
 SKILL.md:20
低危
shell:WRITE not declared in allowed-tools 权限提升
Skill executes curl commands via bash/shell but metadata only declares bins:[curl]. Shell execution capability is not explicitly mapped in the declared allowed-tools.
bins: [curl]  # shell:WRITE is implied but not declared
→ Ensure shell:WRITE is properly declared if curl execution via bash is intended.
 SKILL.md:9
低危
External dependency on toolweb.in infrastructure 供应链
Skill is entirely dependent on portal.toolweb.in for functionality. No offline/local capability. Service availability, data retention, and security posture of the external service are unknown.
POST https://portal.toolweb.in/apis/security/k8irpg
→ Consider adding local playbook generation capability for offline use.
 SKILL.md:25
资源类型声明权限推断权限状态证据
网络访问 READ WRITE ✓ 一致 SKILL.md:POST to portal.toolweb.in with user credentials and incident data
命令执行 NONE WRITE ✗ 越权 SKILL.md:executes curl -X POST via bash; shell:WRITE not declared
环境变量 READ READ ✓ 一致 SKILL.md:metadata.env reads TOOLWEB_API_KEY
7 项发现
🔗
中危 外部 URL 外部 URL
https://portal.toolweb.in/apis/security/k8irpg
README.md:36
🔗
中危 外部 URL 外部 URL
https://toolweb.in
README.md:50
🔗
中危 外部 URL 外部 URL
https://portal.toolweb.in
README.md:51
🔗
中危 外部 URL 外部 URL
https://youtube.com/@toolweb-009
README.md:52
🔗
中危 外部 URL 外部 URL
https://hub.toolweb.in
SKILL.md:238
🔗
中危 外部 URL 外部 URL
https://toolweb.in/openclaw/
SKILL.md:239
🔗
中危 外部 URL 外部 URL
https://rapidapi.com/user/mkrishna477
SKILL.md:240

目录结构

2 文件 · 12.3 KB · 311 行
Markdown 2f · 311L
├─ 📝 README.md Markdown 52L · 1.2 KB
└─ 📝 SKILL.md Markdown 259L · 11.1 KB

安全亮点

✓ No credential theft observed beyond expected API key usage
✓ No reverse shell, C2, or direct malicious code execution
✓ curl usage is documented (bins:curl declared)
✓ API key is environment-variable based, not hardcoded
✓ No base64-encoded payloads or obfuscation detected
✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive local paths