ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cloudnap

v1.0.1

Manage your AWS EC2 instances by listing, starting, stopping, and scheduling them via the CloudNap API using your API key.

0· 19·0 current·0 all-time
byBhushan Wanjari@bhushan21z
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a CloudNap API that lists/starts/stops EC2 instances and manages schedules — this matches the skill name/description. However, the registry metadata declares no required environment variables or primary credential while the instructions clearly require a CLOUDNAP_API_KEY. That metadata omission is an inconsistency.
Instruction Scope
The instructions themselves are narrowly scoped: they specify only calls to https://app.cloudnap.in/api/v1, require a single API key header, forbid accessing other env vars or files, and include clear error and behavior handling. There is no apparent scope creep inside SKILL.md.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk during install — low install risk.
!
Credentials
The skill legitimately needs a single API key (CLOUDNAP_API_KEY), which is proportionate. The concern is that the registry metadata did not declare this required env var or a primary credential. Additionally, the skill would grant control over EC2 instances through CloudNap — possession of the API key confers significant power, so key scoping and provenance matter.
Persistence & Privilege
The skill is not always:true and is user-invocable (defaults). Autonomous invocation is allowed (platform default). While this is normal, note that an autonomously-invokable skill that can start/stop instances increases blast radius if the API key is misused — review invocation policies and key scope.
What to consider before installing
Before installing: (1) Ask why the registry metadata omits the required CLOUDNAP_API_KEY and request that the skill manifest be updated to declare it and mark it as the primary credential. (2) Confirm who published this skill and request a homepage/source repository — there is no provenance listed. (3) Verify that app.cloudnap.in is a trusted service for your organization. (4) Ensure the CLOUDNAP_API_KEY will be injected securely by the platform (do not paste keys into chat). (5) Limit the API key's permissions in CloudNap to the minimum needed (prefer test/non-production resources for initial use), enable audit logging on CloudNap/AWS, and rotate the key if you later uninstall the skill. (6) Because the skill can control instances, be cautious with autonomous agent invocation: consider requiring explicit user confirmation before performing start/stop actions or restrict the skill to manual invocation until you trust it. If the publisher cannot provide a source or explain the missing metadata, treat the skill as higher risk and avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk9770hcdqtqg9brh9yavvk37ex84gfgp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments