Skillv1.0.0

ClawScan security

Canary Deployment Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 11:45 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's behavior (queries to Prometheus/Datadog/CloudWatch, kubectl logs, and use of secrets) is coherent with canary analysis, but the SKILL.md expects access to credentials and CLI tools that are not declared in the skill metadata — an inconsistency that could lead to accidental exposure of sensitive data if installed without care.
Guidance: This skill appears to do what its name says (compare canary vs baseline), but the instructions rely on cluster/monitoring credentials and CLIs that the manifest does not declare. Before installing or using it: 1) Confirm which credentials it will need (Prometheus URL, Datadog API key, AWS creds, kubeconfig) and provide least-privilege, read-only access (e.g., read-only AWS IAM role, limited Datadog key, Kubernetes service account limited to log access). 2) Run the skill in a controlled environment (staging account or isolated cluster) first so you don't expose production secrets. 3) Consider modifying the skill to explicitly declare required env vars and binaries in metadata so you can audit what will be accessed. 4) If you share agent access with others, avoid storing long-lived credentials in the agent environment; prefer short-lived tokens or scoped service accounts. 5) If author/source is unknown/untrusted, treat credential provision as risky — request provenance or a signed manifest before granting access.

Review Dimensions

Purpose & Capability: concernThe declared purpose—analyzing canary vs baseline metrics—is consistent with the commands shown (Prometheus/Datadog/CloudWatch queries, latency/error comparisons, log analysis). However, the skill metadata declares no required environment variables or binaries while the instructions explicitly rely on PROMETHEUS_URL, DD_API_KEY, aws CLI with AWS credentials, kubectl, and python3. That mismatch (the skill asking for access at runtime but not declaring it up-front) is a red flag for incoherence and operational surprise.
Instruction Scope: concernThe SKILL.md instructs the agent to run network calls and cluster-level commands: curl against monitoring APIs, use Datadog API key, call aws cloudwatch, and run kubectl logs on deployments. Those actions are within the declared purpose, but they give the agent broad read access to monitoring/cluster data and require sensitive credentials. The instructions also implicitly allow the agent to choose which data sources to query (Prometheus vs Datadog vs CloudWatch vs logs), which is open-ended and increases blast radius if credentials are provided inadvertently.
Install Mechanism: okNo install spec and no code files — the skill is instruction-only, so nothing is written to disk or fetched automatically. This lowers supply-chain risk. However, runtime commands will invoke local CLIs and network calls, so the lack of install does not eliminate operational risk.
Credentials: concernThe SKILL.md expects environment variables and credentials (PROMETHEUS_URL, DD_API_KEY, AWS credentials for aws CLI, possibly Kubernetes kubeconfig or cluster auth for kubectl) but the skill metadata declares none. Requiring these secrets at runtime without declaring them is disproportionate transparency-wise and could lead to accidental credential exposure when a user attempts to use the skill. The skill also references python3 and kubectl without declaring required binaries.
Persistence & Privilege: okThe skill is not marked 'always: true' and is user-invocable only; it does not request persistent or elevated platform privileges in the manifest. As an instruction-only skill it does not modify other skills or agent-wide config. Autonomous invocation is allowed by default but is not combined with other manifest-level privileges here.