Back to skill
Skillv1.0.0
ClawScan security
AMG Key Vault Health Check · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 17, 2026, 6:05 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions largely match an AMG Key Vault health-check, but it requests and writes credentials/configuration at runtime without declaring them and includes fallback steps that can execute arbitrary code — these inconsistencies and execution vectors warrant caution.
- Guidance
- This skill appears to implement a legitimate AMG-driven Key Vault health check, but review these before installing: - Credential declaration mismatch: SKILL.md requires a Grafana service-account token (glsa_*) and instructs running openclaw mcp set to store it in workspace MCP config, but the skill metadata does not declare any required credentials. Confirm where and how the token will be stored and who/what has access to workspace MCP configs. - Persistence: the skill will create/update memory/amg-check-key-vault/config.md and report.md and may update MCP server entries. These stored artifacts contain configuration and findings — remove or audit them if they contain secrets. - Code execution fallback: error-handling instructs parsing large results with node -e, python -c, jq, or pwsh. Those commands can execute arbitrary code if not carefully constructed. Ask the skill author to replace exec-style fallbacks with pure parsing utilities (jq, safe Python scripts stored in the skill bundle, or explicit non-exec instructions) or require explicit user approval before running any interpreter commands on result files. - Source provenance: the SKILL.md claims an official source (GitHub) but registry source is unknown and homepage is none. Verify the repository and review its code (if any) before trusting the token you supply. - Least privilege: create a Grafana service-account token with the minimal scope required and rotate/ revoke it after use if possible. Limit the MCP server registration name to a workspace-local, auditable entry. If the author can (a) declare the required credential in the metadata, (b) remove or make safe the exec-style fallbacks, and (c) show the official source code/repo, the inconsistencies would be resolved and the skill would be reasonable to use. Until then, proceed cautiously and avoid supplying high-privilege tokens.
Review Dimensions
- Purpose & Capability
- noteName and description match the SKILL.md workflow: it performs a fleet-wide AMG (Azure Managed Grafana) + Azure Monitor-based Key Vault health check using MCP tools. Requiring a Grafana MCP server named 'amg' and calling mcp__amg__* tools is coherent for this purpose. However, the skill does not declare any required credentials in its registry metadata even though the runtime setup explicitly requires a Grafana service-account token (glsa_). That missing declaration is an inconsistency.
- Instruction Scope
- concernThe SKILL.md is detailed and scoped to Key Vault telemetry and metrics. Concerns: (1) it instructs registering an MCP server by running openclaw mcp set with a Grafana token (sensitive secret stored in workspace MCP config) but the registry metadata lists no required env/credential. (2) Error handling suggests saving large results to a temp file and parsing with interpreters using commands like node -e, python -c, jq, or pwsh; these fallbacks can execute arbitrary code or run user-supplied scripts if not tightly controlled. (3) The skill reads/writes agent memory files (memory/amg-check-key-vault/*) which will persist findings across sessions — expected for the
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. This minimizes disk-write/install risk. All execution is via allowed-tools and shell commands described in SKILL.md.
- Credentials
- concernThe skill needs a Grafana service-account token to call AMG MCP endpoints (explicitly shown in the one-time setup command), yet the registry metadata lists no required env vars or primary credential. That mismatch is notable: a secret is required at runtime but not declared. The skill also expects access to agent memory and the ability to register an MCP server name 'amg' in workspace config, which is a workspace-level credential/config change and should be justified/declared.
- Persistence & Privilege
- notealways:false and disable-model-invocation:true (skill cannot be run autonomously by the model) both reduce risk. The skill writes/updates memory files under memory/amg-check-key-vault and may update the workspace MCP server configuration (openclaw mcp set), which persists credentials/config in the workspace. Those are reasonable for a monitoring skill but require the user to trust where credentials are stored and who can read workspace config.