Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
aws-ecs-monitor
v1.0.1AWS ECS production health monitoring with CloudWatch log analysis — monitors ECS service health, ALB targets, SSL certificates, and provides deep CloudWatch...
⭐ 0· 1.9k·5 current·5 all-time
byBrian Colinger@briancolinger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included scripts: both scripts call the AWS CLI to list/describe ECS services, CloudWatch logs, and ALB target groups and perform HTTP/SSL checks. However, the registry metadata declares no required environment variables or primary credential, while the scripts require ECS_CLUSTER and implicitly require AWS credentials (via the aws CLI). This is an incoherence: an ECS-monitor needs AWS credentials and at least ECS_CLUSTER declared.
Instruction Scope
SKILL.md instructs the agent to run the provided bash scripts which (a) call aws CLI to enumerate services, describe services/target groups, and pull CloudWatch logs, (b) perform HTTP probes with curl, and (c) write JSON reports to a local ./data directory. The instructions and scripts access AWS resources (logs, service metadata, target health) that require valid AWS credentials and specific IAM permissions but the skill metadata doesn't declare that. The scripts write to disk (./data) and will read environment variables; nothing else in the shown code appears to contact unknown external endpoints beyond user-configured domains for health checks.
Install Mechanism
No install spec is provided and the skill is instruction-plus-scripts only. No external archives, arbitrary downloads, or installers are executed by the skill itself — risk surface from installation is low. It does assume the presence of aws, curl, and python3 on PATH.
Credentials
The scripts require ECS_CLUSTER and assume AWS CLI credentials (e.g., via environment variables or AWS config) with permissions covering ECS, ELBv2, and CloudWatch Logs. The registry lists no required env vars and no primary credential. Declaring no primary credential is disproportionate and misleading — the skill will only function if the agent environment provides AWS credentials, and those credentials grant broad read access to cluster, ALB, and logs.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide configurations. It writes output to a user-configurable local directory (default ./data) but does not request elevated or persistent platform privileges. Autonomous invocation is allowed (platform default) — note that with AWS credentials available the agent could run these scripts autonomously to query your account.
What to consider before installing
This skill appears to be a legitimate ECS health and log monitoring tool, but the package metadata is incomplete: it does not declare that ECS_CLUSTER is required nor that AWS credentials are needed. Before installing or running it, verify where and how the skill will get AWS credentials (environment vars, AWS config, or instance role) and ensure the credentials are least-privileged (read-only: ecs:ListServices/DescribeServices, elbv2:DescribeTargetGroups/DescribeTargetHealth, logs:FilterLogEvents/DescribeLogGroups). Also: run the scripts in a safe test account or isolated environment first to confirm behavior and to inspect full (untruncated) script contents for any data exfiltration or unexpected network calls. If you cannot provide controlled AWS credentials, do not enable this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk976b2hz5445757fxczy51z8xs81fv9g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsaws, curl, python3
Any binopenssl