Skillv1.0.0

ClawScan security

AMG Azure Subscription Cost Analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 5:57 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's actions match its stated purpose (querying Azure billing via a Grafana/MCP datasource), but it requires a high-privilege Grafana service token via an out-of-band MCP registration that is not declared in the registry metadata and some optional behaviors (running local interpreters) broaden the runtime scope—these documentation mismatches and optional execution paths merit caution.
Guidance: This skill appears to do what it says (query Azure billing via a Grafana/AMG MCP datasource) but requires you to register a Grafana/MCP server named exactly 'amg' and supply a Grafana service-account token via `openclaw mcp set` (the SKILL.md example uses a `glsa_...` token). That token gives access to your Grafana instance and its datasources — before configuring it, verify the token's scope and limit it to read-only access for the Azure Monitor datasource. Note the skill may run for many minutes if you select multiple subscriptions (mandatory 60s waits and backoff rules). Also: for very large results it may offer to invoke local interpreters (node/python/jq/pwsh) or Bash to parse/save data—those are optional but would execute local commands and should be approved only after review. Finally, the registry metadata does not list the Grafana token as a required credential; treat that as a documentation mismatch and, if possible, verify the skill source (SKILL.md claims an Azure GitHub repo) before provisioning credentials or running it in a production workspace. If you proceed, use a temporary or least-privilege token and test in an isolated workspace first.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (Azure subscription cost analysis) aligns with the MCP calls and workflow in SKILL.md: it lists subscriptions and queries cost breakdowns via mcp__amg__* tools. However, the SKILL.md expects the workspace to be configured with a Grafana/MCP endpoint and a Grafana service-account token (glsa_...) via `openclaw mcp set`, but the registry metadata declares no required credentials/primary credential. That mismatch (needed token not listed in metadata) is a documentation/inventory inconsistency.
Instruction Scope: noteInstructions are explicit and scoped to listing datasources, enumerating subscriptions, and running cost-analysis calls with mandatory waits and 429 backoff. The skill reads/writes from its own memory path (memory/amg-check-azure-spend/*) and uses `date` to compute time ranges. Two caution points: (1) reference/error-handling.md says very large results may be parsed by invoking local interpreters (node, python, jq, pwsh) or running Bash; those are optional but could execute local code when used, and (2) the user must run `openclaw mcp set` to provide the Grafana token—this stores credentials in the workspace config outside the skill's declared env vars. No instructions send data to unexpected external endpoints other than the Grafana/MCP URL the user provides.
Install Mechanism: okInstruction-only skill with no install spec and no code files. Lowest install risk: nothing is downloaded or written by an installer.
Credentials: concernThe skill requires, in practice, a Grafana service-account token configured into OpenClaw's MCP registry (the SKILL.md demonstrates the `openclaw mcp set amg '{...Authorization: "Bearer <your-token>"}'` command). Yet the registry metadata lists no required env vars or primary credential. Requiring a workspace-stored Grafana token (which can allow read access to datasources and potentially more) without declaring it in the skill manifest is a proportionality/documentation mismatch. Users should ensure the token is least-privilege (read-only for the Azure Monitor datasource) before registering it.
Persistence & Privilege: okThe skill is not always-enabled, and model invocation is disabled (disable-model-invocation: true), so it cannot run autonomously. It writes reports to its own memory path (memory/amg-check-azure-spend/report.md), which is normal for a skill of this type. It does not request system-wide configuration changes or persistent privileges beyond storing its own config in workspace memory and the MCP registry entry the user creates.