ClawHub

Finops Report

v1.0.0

Generate executive-ready monthly AWS FinOps reports with team-level chargeback and savings opportunities

0· 304·0 current·0 all-time
byAnmol Nagpal@anmolnagpal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose is to generate AWS FinOps reports from billing data, but the package declares no required credentials, no config paths, and no data-source configuration. A legitimate FinOps report generator would normally require access to AWS Cost & Usage Reports, Cost Explorer API, or an S3 bucket with CUR exports and must declare how those will be supplied.
!
Instruction Scope
SKILL.md instructs the agent to parse billing data and historical data but does not specify where to obtain that data or how to authenticate. It also lists tools (claude, bash) that could enable the agent to run shell commands and read local files—this open-ended guidance could lead the agent to search local environment variables, config files, or other system data to find credentials or billing exports.
Install Mechanism
No install spec and no code files are present, so nothing will be written to disk during installation. This is the lowest-risk install mechanism.
!
Credentials
No environment variables or credentials are declared even though the task logically requires read-only AWS access to billing data. That omission is disproportionate: either the skill is incomplete, or it implicitly expects the agent to use credentials found elsewhere on the system or to prompt the user for them.
Persistence & Privilege
always is false and there is no indication the skill requests persistent or elevated privileges. Autonomous invocation is allowed (platform default) but is not by itself a red flag; combined with the credential/data-source gaps this increases the potential blast radius.
What to consider before installing
This skill is missing explicit instructions about where and how to get AWS billing data and it doesn't declare the credentials it needs. Before installing or using it: (1) ask the author to specify the data source (AWS Cost & Usage Report S3 bucket or Cost Explorer API) and required, minimal-scoped credentials (ideally a read-only IAM role or short-lived credentials). (2) Do not provide long-lived root or broad AWS keys; prefer an IAM role with least privilege (Cost Explorer read-only or S3 read access to a CUR export). (3) If you must run it locally, run in a sandbox and inspect any shell commands the agent executes; restrict the agent's ability to read environment variables or ~/.aws credentials if you don't want it to access them. (4) Confirm whether the skill will prompt users for credentials vs. attempt to discover them automatically—automatic discovery of credentials on the host is a significant privacy/security risk. If the author supplies an updated SKILL.md that declares explicit data sources and required read-only credentials, this assessment could be re-evaluated as benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk976ec75w66h9mpz9nzhnbnphx823rf1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments