Skillv1.0.0

ClawScan security

cloud-tagging-enforcer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 12:56 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions clearly perform cross-cloud scans and require cloud CLIs/credentials, but the skill metadata does not declare required binaries or any credentials — an incoherent gap that could lead to unexpected access if run.
Guidance: This skill's instructions will list and inspect resources across AWS, GCP, and Azure and reference $GCP_PROJECT, but the skill metadata does not declare required CLIs or any cloud credentials. Before installing or running: (1) require the author to declare required binaries (aws, gcloud, az, rg, python3) and the exact credentials/primaryEnv variables needed; (2) run scans with a dedicated read-only audit role/service account with the minimum permissions (no broad admin keys); (3) verify the agent will not execute remediation scripts automatically—treat remediation as a separate, reviewed step; (4) confirm where reports or outputs are written or transmitted; (5) consider running initial scans in a test account/project or with IAM permissions scoped to a single account/region. If you cannot guarantee least-privilege credentials or control over automatic execution, avoid installing or enabling autonomous invocation.
Findings: [no_findings] expected: The static regex scanner found nothing because this is an instruction-only skill with no code files. Lack of findings is not evidence of safety; the SKILL.md itself contains the operational behavior that must be reviewed.

Review Dimensions

Purpose & Capability: concernThe name/description and SKILL.md align (audit/enforce tags across AWS/GCP/Azure). However, the skill does not declare that it needs cloud credentials or CLIs even though the runtime instructions require aws, gcloud, az, and access to cloud accounts. Requiring access to multiple cloud providers is reasonable for the stated purpose, but the metadata omits those requirements.
Instruction Scope: concernThe SKILL.md instructs the agent to run commands that enumerate resources (aws resourcegroupstaggingapi, aws s3api list-buckets, gcloud asset search-all-resources, az resource list) and to search the repo (rg). It also references an env var ($GCP_PROJECT). These actions access cloud inventories and potentially many resources; they go beyond local repo reads and require cloud credentials and network access. The instructions do not constrain scope (no explicit account/project selection except $GCP_PROJECT) and include automation (remediation scripts) that could modify cloud resources if executed.
Install Mechanism: okInstruction-only skill (no install spec, no code files). This is lower risk from an installation-execution perspective because nothing is downloaded or written by an installer. However, runtime shell commands will execute existing CLIs if present.
Credentials: concernThe skill requests no env vars or primary credential in metadata, yet the instructions implicitly require cloud credentials (AWS, GCP, Azure) and use $GCP_PROJECT. This is a mismatch: either the metadata should list required credentials and recommended least-privilege scopes, or the instructions are assuming the agent environment already has broad cloud access — a potentially dangerous implicit assumption.
Persistence & Privilege: okThe skill is not always:true and cannot force inclusion. disable-model-invocation is default (agent may call it autonomously) — normal for skills. No install-time persistence or modifications to other skills are present.