Skillv1.0.0

ClawScan security

backpressure-analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 12:54 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The instructions match a backpressure-analysis purpose, but the skill references cloud CLIs and environment variables (e.g., AWS CLI, $KAFKA_BROKER) without declaring credentials or required env — that mismatch and the broad system-level commands are concerning.
Guidance: This skill's instructions are plausible for diagnosing backpressure, but they call cloud and local CLIs (AWS, Kafka, RabbitMQ, Redis) and reference $KAFKA_BROKER without declaring credentials. Before installing: 1) Ask the publisher for a source/homepage and explicit list of required env vars and permissions. 2) If you run it, avoid giving it high-privilege AWS credentials — use a read-only, least-privilege IAM role scoped to just the queues/topics needed. 3) Run first in an isolated/test environment where those CLIs exist and credentials are safe. 4) Inspect and, if needed, constrain the exact commands the agent will run (limit which queues or clusters it can enumerate). 5) Prefer skills that declare required env vars and document required CLIs and permissions; absence of those declarations is the main red flag here. Additional information that would raise confidence: a trusted source/homepage, explicit env var/credential declarations, or code/tests demonstrating exactly what will be queried and why.
Findings: [instruction_only_no_code] expected: No code files were present so the regex scanner had no static code to analyze. This is expected for an instruction-only skill, but means the SKILL.md is the primary security surface.

Review Dimensions

Purpose & Capability: noteThe described functionality (Kafka, RabbitMQ, SQS, Redis Streams, Prometheus) aligns with backpressure analysis. However the SKILL.md uses $KAFKA_BROKER and AWS CLI commands even though the skill metadata declares no required env vars or credentials — a mismatch between what the skill does and what it asks for.
Instruction Scope: concernRuntime instructions tell the agent to run many system/cloud commands (kafka-consumer-groups, rabbitmqctl, aws sqs, redis-cli, curl against localhost metrics, etc.). These commands will access local services and cloud accounts and can reveal sensitive operational data. The instructions assume access to credentials and network endpoints that are not declared or constrained.
Install Mechanism: noteNo install spec or code files (instruction-only) — low install risk. But the skill implicitly requires many CLIs (aws, kafka-consumer-groups, rabbitmqctl, redis-cli, curl, python3) to be present; absence of an install step or validation means it may fail or behave inconsistently depending on the environment.
Credentials: concernThe skill declares no required env vars/credentials, yet the instructions use $KAFKA_BROKER and call AWS CLI (which uses AWS credentials). This is disproportionate: the skill should explicitly declare the exact credentials and permissions it needs. As written, it could cause an agent to access cloud account credentials unexpectedly.
Persistence & Privilege: okThe skill is not 'always: true' and has no install or persistent components, so it does not request permanent presence or system-wide changes. Note: the agent may still invoke it autonomously (default), which combined with the environment/credential concerns increases risk.