📦 Azure AKS Hardening — 实用工具
v1.0.0服务 (AKS) configurations 用于 安全性 hardening.
0· 95·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose (generating CIS-compliant AKS configs) is plausible, but the instructions leave out key operational details (authentication, base URL, and data-handling expectations) and claim a paid external API while requiring no credentials — this inconsistency warrants caution.
评估建议
This skill appears to describe a third‑party API for generating AKS hardening configs, but the documentation is vague about which base URL to call, how to authenticate, and how data is handled. Before installing or using it: (1) verify the service hostname and TLS (use the documented https endpoints), (2) ask the provider whether an API key or account is required and never hard-code sensitive keys into the agent, (3) avoid sending real cluster credentials or secrets — test with non-sensitive dat...详细分析 ▾
ℹ 用途与能力
The name/description and the included OpenAPI spec align: this is an API that generates CIS v1.8.0 AKS hardening configuration. However, the skill documents a paid external service (toolweb / api.mkkpro.com) yet declares no required credentials or env vars; that mismatch is unexpected for a hosted API offering paid tiers.
⚠ 指令范围
SKILL.md describes POST /api/aks/generate and sample payloads/responses but does not provide an explicit server/base URL in the OpenAPI spec nor clear runtime instructions about how the agent should call the service (authentication headers, rate limits, which base host to use). The doc references external hosts (api.mkkpro.com and api.mkkpro.com:8149) and pricing, which implies network calls and possibly API keys — yet no guidance on handling sensitive inputs (e.g., cluster identifiers, secrets) or whether sensitive data is retained by the service.
✓ 安装机制
This is an instruction-only skill with no install spec and no code files; nothing is written to disk and there is no package installation step — lower installation risk.
⚠ 凭证需求
The skill requests no environment variables or credentials, but documents a paid external API and an external Kong route. In practice a hosted API with paid tiers commonly requires API keys or tokens; the absence of declared credentials is an inconsistency. Also, the docs do not warn users about sending potentially sensitive configuration data to a third-party service or how long that data is retained.
✓ 持久化与权限
always is false and there are no config-path or system-level operations. The skill does allow normal autonomous invocation (disable-model-invocation is false), which is platform-default; combined with its network calls this increases blast radius slightly but is expected for an API-style skill.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install toolweb-azure-aks-hardening
镜像加速npx clawhub@latest install toolweb-azure-aks-hardening --registry https://cn.longxiaskill.com