Back to skill
Skillv1.0.0
ClawScan security
Spot Strategy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 1, 2026, 10:06 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only helper for designing EC2 Spot strategies and its inputs/requirements are consistent with that purpose.
- Guidance
- This skill appears coherent and appropriate for designing Spot strategies. Before sharing data: verify any pasted CLI/console output contains no access keys or secrets (the skill requests only read-only outputs), consider redacting tags, account IDs, private IPs, or other identifiers if you are uncomfortable sharing them, and provide the minimum necessary data (a sample of instances or a summary) rather than full dumps when possible. If you prefer, run the AWS CLI locally and paste only the specific JSON blocks the skill requests. The skill’s explicit rule to never ask for credentials is good — don't provide keys or secret values under any circumstances.
Review Dimensions
- Purpose & Capability
- okName/description ask for Spot strategy design and the SKILL.md only requests EC2 inventory, ASG config, and cost data — all are expected inputs for this purpose. No unrelated credentials, binaries, or installs are requested.
- Instruction Scope
- noteThe skill asks users to paste AWS CLI/console output (describe-instances, ASG, cost reports). This is appropriate for analysis but may include sensitive metadata (account IDs, instance IDs, private IPs, tags, AMI IDs). The SKILL.md explicitly forbids asking for credentials and asks to confirm no credentials are included before processing — that's good practice.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files; nothing is written to disk or downloaded.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The SKILL.md recommends only read-only CLI outputs and provides a minimal read-only IAM policy for those who want to run the commands themselves.
- Persistence & Privilege
- okThe skill does not request persistent/always-on presence (always:false) and does not ask to modify other skills or system settings. Model invocation is allowed (default), which is normal for skills and acceptable here.