ClawHub
Back to skill
v1.0.0

Cloudtrail Threat Detector

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:15 AM.

Analysis

This skill is a coherent, instruction-only AWS CloudTrail analysis guide that asks users to provide exported logs and explicitly avoids credentials or direct AWS access.

GuidanceThis appears safe for its stated purpose. Before installing or using it, remember that CloudTrail logs can reveal sensitive account activity, usernames, IP addresses, and resource names. Share only the relevant time window, remove any accidental secrets, and do not provide AWS access keys or secret keys.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
"tools: claude, bash" and "This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly."

The frontmatter names bash, while the body frames AWS CLI commands as user-run export examples and says the skill should not access AWS directly. This is not suspicious, but users should treat the commands as manual setup steps.

User impactA user might copy and run AWS CLI commands to gather logs, but the artifact does not instruct the agent to execute them automatically.
RecommendationRun export commands yourself only after reviewing them, and do not provide AWS credentials or secret keys.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
"Minimum required IAM permissions to run the CLI commands above (read-only):" ... "Action": ["cloudtrail:LookupEvents", "cloudtrail:GetTrail", "logs:FilterLogEvents", "logs:GetLogEvents"], "Resource": "*"

The skill documents read-only AWS permissions a user may need to export CloudTrail and CloudWatch logs. This is purpose-aligned and disclosed, but users should notice that it involves AWS account visibility.

User impactIf the user runs the suggested commands, they may expose detailed AWS activity logs to the chat for analysis.
RecommendationUse a least-privilege read-only role, limit the time window and account scope where possible, and review exported logs before sharing.