Iam Policy Auditor
v1.0.0Audit AWS IAM policies and roles for over-privilege, wildcard permissions, and least-privilege violations
⭐ 0· 415·1 current·1 all-time
byAnmol Nagpal@anmolnagpal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name and description (IAM policy auditing) align with the SKILL.md: parse policy JSON, flag dangerous patterns, map to MITRE ATT&CK, and produce least-privilege replacements. The skill declares no required credentials or installs, which is coherent if the user supplies the IAM policy JSON to be audited. One minor oddity: the SKILL.md header lists tools: "claude, bash" — if the implementation actually executes bash or attempts to call remote models to fetch policies, that would require additional permissions/credentials which are not declared.
Instruction Scope
The runtime instructions focus on parsing provided IAM policy JSON and producing findings and remediation; they do not instruct reading arbitrary files, environment variables, or contacting external endpoints. However, a few items imply account-level checks (e.g., "flag policies attached to EC2 instance profiles", "recommend enabling IAM Access Analyzer if not active") which would require querying AWS account state. The SKILL.md does not describe how to obtain those artifacts (user paste vs. using AWS credentials). That ambiguity should be clarified before giving the skill access to an AWS account or letting it run shell commands.
Install Mechanism
No install spec and no code files are present (instruction-only). This is low-risk: nothing will be written to disk or automatically installed by the skill itself.
Credentials
The skill declares no required environment variables or primary credentials, which is proportionate for an analysis that works from user-provided policy JSON. If the skill later asks for AWS credentials to fetch attached resources or to check account configuration, that would be an escalation and should be explicitly declared and justified.
Persistence & Privilege
always is false and there is no installation step that requests persistent presence. The skill is user-invocable and not forced into every agent run, which is appropriate for a tool that performs security audits on demand.
Assessment
This skill looks coherent for auditing IAM policy JSON as long as you supply the policies yourself. Before installing or running it: (1) Do not provide AWS credentials unless you explicitly want the skill to fetch live account attachments—ask the developer how the skill obtains policies. (2) If the skill asks to run shell commands (the SKILL.md lists "bash"), avoid granting shell access or providing files from your system; instead paste the policy JSON directly. (3) Treat the generated "least-privilege" policy as a draft—review and test it in a safe environment before applying to production. (4) If the skill requests IAM keys or asks to enable services like Access Analyzer, require explicit justification and limit permissions (use read-only, scoped credentials or a dedicated auditing role).Like a lobster shell, security has layers — review code before you run it.
latestvk9714ggppdbcgvm3wc87skg5w9823ae3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.