web-security
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill does not contain any malicious code, obfuscation, or unauthorized access patterns. All identified operations are consistent with its stated purpose as a security utility.
- [COMMAND_EXECUTION]: The skill utilizes a local CLI tool called
openclawto perform security-related tasks such as project scans and configuration updates. These commands are restricted to the project environment and user-initiated actions. - [CREDENTIALS_UNSAFE]: Documentation correctly encourages the use of environment variables ($OPENCLAW_API_KEY) for authentication, demonstrating proper secret management practices for command-line tools.
- [DATA_EXFILTRATION]: Project metadata and scan requests are sent to the vendor's API endpoint (
/api/web-security/). This interaction is a core component of the tool's scanning functionality and is considered expected behavior for this service class.
Audit Metadata