Skillv1.0.0

ClawScan security

Devtest Optimizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 3, 2026, 11:44 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is instruction-only and its requests and outputs are consistent with an Azure dev/test cost-optimization helper; nothing requested is disproportionate, but users should sanitize pasted exports and review generated runbooks before running them.
Guidance: This skill appears coherent with its stated purpose, but take these precautions before using it: (1) Do not paste credentials, secret keys, or SAS tokens — remove them if present. The skill asks for CLI output/exports which can contain tenant, subscription, or resource identifiers; redact anything you don't want shared. (2) The skill may request uptime/metrics that are not obtained by the provided example commands — be prepared to export Azure Monitor metrics or activity logs if you want accurate uptime analysis. (3) Treat generated PowerShell runbooks and automation scripts as drafts: review and test them in a safe environment (staging subscription or sample VMs) before applying to production — shutdown schedules can interrupt builds or monitoring. (4) Ensure the RBAC roles requested (Cost Management Reader, Reader) are scoped minimally to the subscription(s) you want analyzed. (5) If you are uncomfortable sharing raw exports, provide anonymized/sanitized samples or high-level summaries (counts, average hours) instead. Overall: the skill is consistent and not requesting excessive access, but be careful with data you paste and always review any automation scripts it produces.

Review Dimensions

Purpose & Capability: okName/description match the instructions: the skill asks for VM inventory, cost exports, and subscription lists and promises schedules, runbooks, and policy guidance. No unrelated credentials, binaries, or installs are requested.
Instruction Scope: noteInstructions are mostly scoped to collecting Azure inventory and cost exports and generating shutdown schedules/runbooks. Two minor issues: (1) the SKILL.md says it will 'analyze VM uptime metrics' but the example az commands do not fetch metrics/monitoring data (Azure Monitor metrics/logs would be required); (2) an example az consumption command uses hard-coded historical dates which may confuse users. The doc explicitly forbids requesting credentials and asks to confirm exported data contains no secrets — good practice, but pasted exports can still accidentally include sensitive identifiers and should be sanitized.
Install Mechanism: okInstruction-only skill with no install spec and no code files. This is the lowest-risk install posture.
Credentials: okThe skill requests no environment variables, credentials, or config paths. It does ask the user to run az CLI locally with read-only roles (Cost Management Reader/Reader), which is proportional to the stated task.
Persistence & Privilege: okThe skill is not marked always:true and does not request persistent system presence or modify other skills. Autonomous invocation is allowed by platform default but this skill is instruction-only, so there is no hidden persistence.