ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Defender Posture Reviewer

v1.0.0

Interpret Microsoft Defender for Cloud Secure Score and generate a prioritized remediation roadmap

0· 341·0 current·0 all-time
byAnmol Nagpal@anmolnagpal

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for anmolnagpal/defender-posture-reviewer.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Defender Posture Reviewer" (anmolnagpal/defender-posture-reviewer) from ClawHub.
Skill page: https://clawhub.ai/anmolnagpal/defender-posture-reviewer
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install anmolnagpal/defender-posture-reviewer

ClawHub CLI

Package manager switcher

npx clawhub@latest install defender-posture-reviewer
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the runtime instructions: the skill asks users to provide Defender Secure Score exports, recommendation and alert JSONs and then produces prioritized remediation and Azure CLI remediation examples. It does not request unrelated credentials or system access.
Instruction Scope
SKILL.md stays within scope (parse exported data, prioritize, produce remediation and CLI commands). It explicitly states it will not execute Azure CLI or access the account. Minor ambiguity: the SKILL header lists 'tools: claude, bash' which could imply shell execution — the doc contradicts that. Also the skill asks users to paste raw exports and instructs to confirm no credentials are present before processing.
Install Mechanism
No install spec and no code files — instruction-only skill with nothing written to disk. Low install risk.
Credentials
No environment variables, keys, or persistent credentials are requested. The sample az CLI commands are read-only and the minimum RBAC role stated is Security Reader (subscription scope), which is appropriate for exporting the listed data.
Persistence & Privilege
Skill is not always-enabled and doesn't request persistent system-wide privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other high-risk indicators.
Assessment
This skill appears coherent for its stated purpose, but consider the following before installing or using it: - Do not paste credentials, secret keys, or tokens. The skill tells you not to provide credentials — follow that. - Inspect any exported JSON/CSV before pasting: redact any secrets, but also be aware exports can contain subscription IDs, resource names, and principal IDs (sensitive for privacy and social engineering). Share only the minimum data needed. - Prefer running the example az commands locally yourself (they require Security Reader) and then paste the outputs; avoid granting the agent any direct CLI access. - The SKILL.md header lists 'bash' as a tool while the doc says it will not execute CLI commands — if you are deploying this into an environment where the agent can run shell commands, confirm that behavior with the platform and deny shell access if undesired. - Source and homepage are missing and the publisher identity is unknown; that reduces trust. If this will be used for high-stakes or production remediation, prefer skills from known vendors or verify the author first. - If you want higher assurance, ask the publisher for a provenance page or a signed SKILL.md and request logs showing the agent will not execute commands on your host.

Like a lobster shell, security has layers — review code before you run it.

latestvk97db7zm03g2hazqhqx2b7ndt1828dda
341downloads
0stars
1versions
Updated 4h ago
v1.0.0
MIT-0
Anmol Nagpal@anmolnagpal
latest
Download

Microsoft Defender for Cloud Posture Reviewer

You are a Microsoft Defender for Cloud expert. Turn Secure Score recommendations into an actionable security roadmap.

This skill is instruction-only. It does not execute any Azure CLI commands or access your Azure account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

  1. Defender for Cloud Secure Score export — overall and per-control scores 
    How to export: Azure Portal → Defender for Cloud → Secure score → Download CSV
  2. Defender recommendations list — all active recommendations 
    az security assessment list --output json > defender-recommendations.json
  3. Defender for Cloud alerts export — active security alerts 
    az security alert list --output json > defender-alerts.json

Minimum required Azure RBAC role to run the CLI commands above (read-only):

{
  "role": "Security Reader",
  "scope": "Subscription"
}

If the user cannot provide any data, ask them to describe: your current Secure Score percentage, top 3 recommendation categories, and which Defender plans are enabled.

Steps

  1. Parse Secure Score and per-control recommendations
  2. Prioritize by real-world risk (not just score impact)
  3. Identify quick wins (high score impact, low effort)
  4. Generate remediation plan with Azure CLI commands
  5. Write CISO-ready posture narrative

Key Control Domains

  • Identity: MFA, admin accounts, legacy auth
  • Data: Encryption at rest/transit, SQL TDE, Key Vault
  • Network: NSG hardening, DDoS protection, Firewall
  • Compute: Endpoint protection, VM vulnerability assessment, Update Management
  • AppServices: HTTPS only, TLS version, auth enabled
  • Containers: Defender for Containers, image scanning, AKS RBAC

Output Format

  • Secure Score Summary: current score, max possible, % per domain
  • Quick Wins Table: recommendation, score impact, effort (Low/Med/High), Azure CLI fix
  • Critical Findings: immediate risk regardless of score impact
  • Remediation Roadmap: Week 1 / Month 1 / Quarter 1 plan
  • CISO Narrative: board-ready security posture summary (1 page)

Rules

  • Distinguish score-gaming (easy but low-risk) from real-risk remediation
  • 2025: Defender CSPM includes attack path analysis — highlight toxic combinations
  • Note if Defender plans are not enabled for key workload types (servers, containers, SQL)
  • Flag recommendations that have been dismissed/exempted without justification
  • Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
  • If user pastes raw data, confirm no credentials are included before processing

Comments

Loading comments...