Software License Manager
v1.0.0Audit, track, and optimize your organization's software licenses by identifying waste, compliance risks, and managing a renewal calendar with alerts.
⭐ 0· 580·1 current·1 all-time
by@1kalin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description promise a full org-wide license audit (inventory, DAU/MAU, seat counts, renewal automation). However, the skill declares no required credentials, config paths, or binaries. Realizing these features legitimately requires access to many external systems (SaaS admin consoles, billing exports, SSO/IDP logs, MDM, source code repos, cloud billing APIs). The absence of any declared access requirements is a mismatch: this appears to be a playbook/framework rather than an automated connector.
Instruction Scope
SKILL.md provides thorough frameworks, templates, and recommended analyses but contains no concrete, bounded runtime instructions for where or how to collect inventory and usage data. It does not explicitly tell the agent to read particular files or call specific APIs, nor does it warn against reading unrelated sensitive files. Because it asks for DAU/MAU, ghost-seat detection, and OSS license scanning, an agent following these instructions could reasonably seek access to admin consoles, repos, billing data, or logs — but the skill does not specify safe, minimal data sources or required permission levels.
Install Mechanism
Instruction-only skill with no install spec and no bundled code files. Nothing will be written to disk by the skill package itself, which reduces direct supply-chain risk.
Credentials
The skill declares no environment variables or credentials, yet the claimed capabilities normally require multiple sensitive credentials (SaaS admin keys, cloud billing read access, SSO/IDP logs, repo read access). The lack of explicit credential requirements is disproportionate to the claimed functionality and could mislead users into thinking it can run without granting access — in practice you would need to provide several high-privilege tokens to get accurate results.
Persistence & Privilege
No 'always' flag, no install hooks, and no config paths requested. The skill does not ask to persist itself or modify other skills. Autonomous invocation is allowed by default but is not combined with other red flags here.
What to consider before installing
This skill reads like a strong human-facing audit playbook and templates rather than an automated connector. It does not include code or installers, so installing it does not by itself grant access to anything — however, to actually perform the audits described you or your agent will need to supply many sensitive data sources (SaaS admin APIs, cloud billing, SSO/IDP logs, repo access, MDM). Before running: (1) treat this as a manual framework unless you intentionally provide connectors; (2) never hand over full admin keys — use least-privilege, read-only API tokens or scoped audit credentials; (3) explicitly document which systems the agent will query and get approval from owners; (4) test on a limited subset or a staging account first; (5) be cautious about following external links/prompts that ask you to pay or supply credentials (the README links to paid AfrexAI context packs). If you want automated scans, prefer a skill that declares the exact connectors it uses and the minimum permissions required.Like a lobster shell, security has layers — review code before you run it.
auditvk970wmvft4x3asrajjp2k91vgh8155vncompliancevk970wmvft4x3asrajjp2k91vgh8155vncost-optimizationvk970wmvft4x3asrajjp2k91vgh8155vnlatestvk970wmvft4x3asrajjp2k91vgh8155vnlicensevk970wmvft4x3asrajjp2k91vgh8155vnprocurementvk970wmvft4x3asrajjp2k91vgh8155vnsaasvk970wmvft4x3asrajjp2k91vgh8155vn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.