v1.0.0

Firebase Rules Auditor

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:40 AM.

Analysis

This instruction-only skill is a focused Firebase rules auditor that reads expected local rules/config files and reports issues without requesting credentials, installation, persistence, or account-changing access.

GuidanceThis skill appears safe for reviewing Firebase Security Rules. Before installing or invoking it, understand that it may read local Firebase rules/config files and provide suggested rule changes; do not blindly deploy generated recommendations without human review.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

cat firestore.rules 2>/dev/null
cat database.rules.json 2>/dev/null
cat storage.rules 2>/dev/null
cat firebase.json 2>/dev/null

The skill directs the agent to use shell commands to read local Firebase rules and configuration files. This is necessary for the audit purpose, but users should expect those local files to be inspected.

User impactThe agent may read the contents of Firebase rule/config files in the current project, which can reveal application structure and security assumptions.

RecommendationUse it only in the intended Firebase project directory and review any generated recommendations before applying them to production rules.