MITRE ATT&CK Technique Mapper — 实用工具
v1.0.0安全性 报告 files MITRE ATT&CK techniques, tactics, detection guidance, mitigation, 和 threat actor associations.
0· 224·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose (mapping threat text/files to ATT&CK) is plausible, but its runtime instructions ask the agent to upload potentially sensitive reports to an external API and reference an API key mechanism that is not declared in the skill metadata, producing an incoherent and potentially risky footprint.
评估建议
Before installing or using this skill, consider the following:
- The SKILL.md instructs you to upload incident reports or raw threat data to https://portal.toolweb.in. That domain and the skill's source are unverified (no homepage or owner details). Only upload non-sensitive, redacted, or synthetic data unless you fully trust the operator.
- The documentation references passing an X-API-Key or 'mcp_api_key' but the skill metadata does not declare any required credential. Ask the skill author to...详细分析 ▾
ℹ 用途与能力
The high-level purpose (map attacker behavior to MITRE ATT&CK) matches the API calls shown in SKILL.md. However, the SKILL.md requires an X-API-Key header or an MCP 'mcp_api_key' parameter for authentication, yet the skill metadata declares no required environment variables or primary credential — this mismatch is unexpected and reduces trust.
⚠ 指令范围
The instructions direct the agent to POST free text or uploaded incident reports (PDF/DOCX/CSV/TXT) to an external endpoint (https://portal.toolweb.in/apis/security/mitre-attack-mapper). Uploading sensitive incident data to an external, unverified domain is a privacy/security risk. The docs also encourage passing an 'mcp_api_key' via MCP, which could cause the agent to use platform credentials. The SKILL.md does not limit or warn about sensitive data handling.
✓ 安装机制
No install spec and no code files (instruction-only). This reduces surface area because nothing is written to disk by the skill itself.
⚠ 凭证需求
SKILL.md expects an API key (X-API-Key or mcp_api_key) but the registry metadata lists no required environment variables or primary credential. This is an incoherence: either the skill should declare that it needs an API key, or it should provide an alternative. There is also a risk the agent might be instructed (or tricked) into sending platform-level credentials via the 'mcp_api_key' parameter.
✓ 持久化与权限
No elevated persistence flags (always:false) and no install-time hooks. The skill cannot force-enable itself or alter other skills from the provided material.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install toolweb-mitre-attack-mapper
镜像加速npx clawhub@latest install toolweb-mitre-attack-mapper --registry https://cn.longxiaskill.com 镜像可用