Kafka
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This Kafka helper is purpose-aligned, but it can make real Kafka cluster changes and uses local Kafka credentials/configuration if provided.
This appears to be a normal Kafka administration helper. Before installing, make sure the Kafka CLI tools it will run are trusted, point KAFKA_BOOTSTRAP and any KAFKA_CONFIG_FILE only at the intended cluster, and require explicit approval before producing messages, deleting topics, or changing partitions in production.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If pointed at the wrong Kafka cluster or used without clear intent, the agent could publish messages or alter/delete Kafka topics.
The skill exposes Kafka operations that can publish data, create topics, delete topics, and alter partition counts. These are expected for a Kafka management tool, but they can affect production systems.
`create-topic` ... `produce` ... `delete-topic` ... `partitions`
Use this only with the intended Kafka bootstrap server, and require explicit confirmation before destructive or production-impacting operations.
The agent may act with whatever Kafka permissions are available through the selected config file.
The helper can use a Kafka client configuration file, which may contain authentication details or privileged cluster settings. This is purpose-aligned for Kafka access, and no credential leakage is shown.
KAFKA_CONFIG_FILE="${KAFKA_CONFIG_FILE:-}" ... cmd+=(--command-config "$KAFKA_CONFIG_FILE")Use least-privilege Kafka credentials and avoid pointing the skill at admin credentials unless the requested task requires them.
The skill will execute whichever Kafka CLI tools are found in the local environment.
The script relies on external Kafka CLI binaries discovered from KAFKA_HOME, PATH, or common locations. This is expected, but those dependencies are not declared in the registry requirements.
local required_tools=("kafka-topics.sh" "kafka-console-producer.sh" "kafka-console-consumer.sh" "kafka-consumer-groups.sh")Install Kafka CLI tools from a trusted source and ensure PATH/KAFKA_HOME do not point to untrusted replacements.
Kafka operation metadata, such as topic names or errors, may remain on disk in the user’s home directory.
The helper writes local operation logs. Visible code logs administrative activity such as topic creation and descriptions; no external transmission is shown.
DATA_DIR="${HOME}/.local/share/kafka-helper" ... LOG_FILE="${DATA_DIR}/kafka-helper.log" ... echo "[$ts] $*" >> "$LOG_FILE"Review or delete the local log if Kafka topic names, cluster details, or command errors are sensitive.