ClawHub

Autoscaling Policy Designer

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly an autoscaling design guide, but it includes live AWS commands that can change cloud scaling behavior without enough safety framing.

Review before installing or using. Treat the AWS autoscaling snippets as production-impacting commands: only run them after confirming the account, region, ASG name, intended environment, expected cost impact, and rollback plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is framed as a design aid, but it includes commands that directly mutate live AWS autoscaling resources. That expands the capability from analysis into production change execution, increasing the chance an agent or user will apply unreviewed scaling changes that affect availability or cost.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Direct cloud mutation capabilities are unjustified for a skill whose stated purpose is designing autoscaling policies. Embedding live `aws autoscaling put-*` commands can cause unintended production changes, outages, or runaway spend if executed automatically or by an over-trusting operator.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill provides production-modifying autoscaling commands without explicit warnings about blast radius, rollback, or validation before use. In an agent setting, omission of such cautions materially increases the risk of unsafe changes being applied to live infrastructure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal