ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

aws-price-csv

v1.0.0

Generate AWS cost CSVs from a user-provided service list. Use when someone supplies an item list + AWS region and needs per-item pricing plus totals via AWS...

0· 254·0 current·0 all-time
by@crazylion
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the behavior: the scripts fetch pricing via the AWS Pricing CLI or download AWS-hosted bulk JSON and produce CSV output. The requested capabilities (none declared) and included code are reasonable for this purpose.
Instruction Scope
SKILL.md instructions stay within the stated purpose. One important runtime behavior is implicit: API mode invokes the local aws-cli, which will use whatever AWS credentials are configured on the host (shared credentials file / environment). SKILL.md documents API vs bulk modes. There is a small documentation/code mismatch (instructions mention compression of inputs/outputs, but the scripts do not appear to implement zipping).
Install Mechanism
No install spec and included code is pure Python. Network downloads (bulk mode) target the official AWS pricing host (pricing.us-east-1.amazonaws.com). There are no untrusted third-party download URLs or installers.
Credentials
The skill declares no required env vars or credentials, which aligns with the repo, but API mode implicitly relies on the host's AWS credentials (via aws-cli). This is proportionate for querying pricing (requires pricing:GetProducts). The script writes cached bulk JSON into a user cache dir (~/.cache/aws-price-csv by default), which is expected but should be noted.
Persistence & Privilege
No special persistence or elevated privileges are requested (always:false). The skill writes only its own cache files and output CSVs; it does not modify other skills or system-wide agent settings.
Assessment
This appears to be a legitimate AWS pricing CSV tool, but review these practical points before using it: (1) If you run in API mode the script will call the local aws-cli and therefore use whatever AWS credentials are configured on the machine — ensure those credentials have only the minimal permission (pricing:GetProducts) you intend to permit. (2) Bulk mode will download large JSON files from the official AWS pricing endpoint and store them in your cache directory (~/.cache/aws-price-csv by default) — check disk space and network policy. (3) Because the package includes runnable Python scripts, inspect them locally and run them in a controlled environment (or a container) if you don't fully trust the source. (4) The repository contains two copies of the same script and some minor doc/code mismatches; that is not itself malicious but you may want to verify which file/version you run. If you want added assurance, run a dry-run (--dry-run) first, or use bulk files you supply instead of API mode.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fph2ternc31wygq1913awhd82bhrw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments