Skillv1.0.0

ClawScan security

Bigquery Optimizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 5, 2026, 6:25 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent — an instruction-only BigQuery cost analyzer that asks you to provide exported query/storage/billing data (not credentials) — but any pasted exports may contain sensitive identifiers or PII that you should redact before sharing.
Guidance: This skill appears coherent and does not request credentials, but the outputs it asks you to paste can include sensitive information (user email addresses, full SQL text, project IDs, billing account IDs, or accidentally copied service-account keys). Before sharing: 1) Remove or anonymize user_email fields and any PII, 2) Strip or redact project IDs/billing account IDs if you don't want them disclosed, 3) Never paste service account keys, private keys, or any credentials, 4) If possible, limit exported columns to only what's necessary (bytes_billed, table name, query fingerprint) or share a small anonymized sample, and 5) Run the bq/gcloud commands with a read-only, least-privileged account in a secure environment. If you need higher assurance, ask the maintainer for a schema-only template you can fill with anonymized data before sending.

Purpose & Capability: okThe name/description match the runtime instructions: the skill asks users to export BigQuery JOBS, table storage, and billing data and then performs offline analysis. It does not claim to access GCP itself and does not request credentials, which is proportionate to a remote analysis skill.
Instruction Scope: noteInstructions tell the user to run bq/gcloud commands and paste results. This is within scope, but the requested outputs include user_email, full query text, project/billing identifiers and other potentially sensitive data (PII, project IDs). The SKILL.md does state 'Never ask for credentials' and to confirm no credentials are included, but users should be warned to redact email addresses, service-account references, project IDs, or any embedded secrets before sharing.
Install Mechanism: okNo install spec and no code files; instruction-only skills are lowest-risk for installation since nothing is downloaded or written to disk.
Credentials: okThe skill requires no environment variables, primary credential, or config paths. The only sensitive surface is user-provided exported data (queries, billing), which is expected for this purpose but should be handled cautiously.
Persistence & Privilege: okalways is false, the skill does not request persistent presence or modify other skills/system settings. It is user-invocable and can be called by the agent (normal behavior).