ClawHub

Idle Resource Detector

v1.0.0

Detect AWS idle and zombie resources consuming cost with zero meaningful utilization

0· 270·0 current·0 all-time
byAnmol Nagpal@anmolnagpal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose is to scan AWS resources and produce AWS CLI cleanup commands, but the registry metadata declares no required binaries (aws CLI), no environment variables, and no config paths. To perform its task it legitimately needs AWS CLI access and AWS credentials/role — these are missing from the declared requirements.
!
Instruction Scope
SKILL.md explicitly requires inclusion of AWS CLI commands and step-by-step cleanup actions and lists many resource types to inspect. That implies the agent will read AWS account state (via CLI/API) and may present deletion commands. The document does state 'Never suggest deleting resources without a confirmation flag' and to flag prod/critical names, but it gives broad discretion to run discovery and produce potentially destructive commands without specifying how credentials are obtained or how the confirmation flow is enforced.
Install Mechanism
Instruction-only skill with no install spec poses low installation risk (no archives or external code downloads).
!
Credentials
No environment variables or primary credential are declared, yet the skill needs AWS credentials (AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY or instance/profile credentials) and the aws CLI binary. This mismatch could lead the agent to use existing host credentials (e.g., ~/.aws, environment, or instance profile) without explicit user awareness. Required privileges (read-only vs. delete) are not specified.
Persistence & Privilege
always:false and no claims of modifying other skills or system-wide settings. The skill does not request permanent presence or elevated platform privileges.
What to consider before installing
This skill's instructions clearly rely on the AWS CLI and live AWS credentials, but the package metadata doesn't declare those requirements — that's a warning sign. Before installing or running it: (1) Verify where the agent will obtain AWS credentials (environment, ~/.aws, instance profile) and avoid giving high-privilege keys; prefer a read-only or least-privilege role. (2) Require an explicit confirmation flag and human review before any delete command is executed; test the skill in a non-production account first. (3) Ask the publisher to update metadata to list required binaries (aws), required env vars or config paths, and to document the exact IAM permissions needed (read-only vs. deletion). (4) If you cannot confirm the confirmation enforcement or credential handling, do not run this against production accounts or keys. Absence of code/scan findings is expected for an instruction-only skill and does not imply safety.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fd2kg2hspay8eyr3f73qmk9823ht0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments