← Back to Skills Marketplace
298
Downloads
0
Stars
1
Active Installs
3
Versions
Install in OpenClaw
/install openclaw-skill-tools
Description
Generate and security-scan OpenClaw SKILL.md files. Use when creating new OpenClaw skills, scanning skills for security vulnerabilities like prompt injection...
Usage Guidance
This tool appears to do what it says, but it requires you to send the full SKILL.md (and possibly full source files) to a third-party API and to always use that API for analysis. Before installing: (1) do not upload SKILL.md files that include real credentials, secrets, or sensitive configuration—remove or redact them; (2) verify portal.toolweb.in's reputation and privacy/billing terms; (3) prefer a disposable or limited-scope TOOLWEB_API_KEY if you must use the service; (4) consider running a local, manual review for high-sensitivity skills instead of relying solely on this remote scanner; (5) test with non-sensitive examples first to confirm behavior. If you need a fully offline scanner or require assurance that code never leaves your environment, this skill is not appropriate.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-skill-tools
Version: 1.0.2
The skill bundle provides a legitimate utility for generating and security-scanning OpenClaw SKILL.md files by acting as a wrapper for the ToolWeb.in API. It requires a TOOLWEB_API_KEY and uses curl to send user-provided skill content to https://portal.toolweb.in for analysis. While it transmits code to a third-party service and uses forceful instructions to ensure the agent utilizes the paid API, these behaviors are transparently documented and aligned with its stated purpose as a commercial security tool.
Capability Assessment
Purpose & Capability
The skill is an instruction-only generator/scanner that calls a remote service. Requiring curl and a TOOLWEB_API_KEY to reach portal.toolweb.in is coherent with the described purpose (proprietary remote analysis). No unrelated clouds or credentials are requested.
Instruction Scope
SKILL.md explicitly orders the agent to ALWAYS call the remote ToolWeb API and never produce an assessment locally. The scan workflow requires submitting the full SKILL.md (and README notes suggest submitting 'full source of all included files'). Those artifacts may contain sensitive data (embedded credentials, example tokens, or file paths). Forcing all scans to go off-instance increases risk of unintended secret disclosure and telemetry of user content.
Install Mechanism
There is no install spec and no code to download; the skill is instruction-only and relies on curl being present. This is the lowest-risk install model (nothing is written to disk by an installer).
Credentials
Only one env var is required (TOOLWEB_API_KEY), which matches the declared primary credential and the described API usage. However, because the skill sends entire SKILL.md files and possibly 'full source', those uploads may contain other sensitive env names/values or secrets — the single credential request is proportional, but the data-sending behavior raises disclosure risk.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges or to modify other skills. It may be invoked autonomously (default), which is normal; that combined with remote upload behavior increases blast radius but is not a misconfiguration by itself.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-skill-tools - After installation, invoke the skill by name or use
/openclaw-skill-tools - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
- Documentation content in SKILL.md was unchanged; only the file version was updated from 1.0.0 to 1.0.2.
- No functional or feature changes were introduced in this version.
v1.0.1
- Added a prominent instruction to always call the ToolWeb API using curl, never answer from general knowledge.
- Clarified error handling: inform the user on API call failure and do not generate your own assessment.
- Emphasized that every API call is tracked for billing and supports the skill creator.
- Updated instructions for TOOLWEB_API_KEY configuration and linked the portal for obtaining the key.
- No changes to the API endpoints or skill features.
v1.0.0
Initial release: OpenClaw SKILL.md generator and security scanner
- Generate professional SKILL.md files for new OpenClaw skills.
- Scan and audit SKILL.md files for security issues such as prompt injection, data exfiltration, credential theft, permission abuse, and scope creep.
- Includes detailed workflows for both generation and scanning, with error handling and examples.
- Requires TOOLWEB_API_KEY and curl; supports Linux, macOS, and Windows.
- Free trial and subscription plans available via ToolWeb.in.
- Built by a CISSP/CISM certified security professional; recommended for all OpenClaw skill authors and users.
Metadata
Frequently Asked Questions
What is Openclaw Skill Tools?
Generate and security-scan OpenClaw SKILL.md files. Use when creating new OpenClaw skills, scanning skills for security vulnerabilities like prompt injection... It is an AI Agent Skill for Claude Code / OpenClaw, with 298 downloads so far.
How do I install Openclaw Skill Tools?
Run "/install openclaw-skill-tools" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Openclaw Skill Tools free?
Yes, Openclaw Skill Tools is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Openclaw Skill Tools support?
Openclaw Skill Tools is cross-platform and runs anywhere OpenClaw / Claude Code is available (linux, darwin, win32).
Who created Openclaw Skill Tools?
It is built and maintained by ToolWeb (@krishnakumarmahadevan-cmd); the current version is v1.0.2.
More Skills