Back to skill
Skillv1.0.0
ClawScan security
aws-price-csv · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 6:48 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill and included scripts are internally consistent with an AWS pricing CSV generator: they call the AWS Pricing API or download official AWS bulk JSON, require aws-cli or local JSON files, and write a local cache — nothing in the package indicates unexplained credential access or hidden endpoints.
- Guidance
- This appears to be a legitimate AWS pricing CSV tool, but review these practical points before using it: (1) If you run in API mode the script will call the local aws-cli and therefore use whatever AWS credentials are configured on the machine — ensure those credentials have only the minimal permission (pricing:GetProducts) you intend to permit. (2) Bulk mode will download large JSON files from the official AWS pricing endpoint and store them in your cache directory (~/.cache/aws-price-csv by default) — check disk space and network policy. (3) Because the package includes runnable Python scripts, inspect them locally and run them in a controlled environment (or a container) if you don't fully trust the source. (4) The repository contains two copies of the same script and some minor doc/code mismatches; that is not itself malicious but you may want to verify which file/version you run. If you want added assurance, run a dry-run (--dry-run) first, or use bulk files you supply instead of API mode.
Review Dimensions
- Purpose & Capability
- okName/description match the behavior: the scripts fetch pricing via the AWS Pricing CLI or download AWS-hosted bulk JSON and produce CSV output. The requested capabilities (none declared) and included code are reasonable for this purpose.
- Instruction Scope
- noteSKILL.md instructions stay within the stated purpose. One important runtime behavior is implicit: API mode invokes the local aws-cli, which will use whatever AWS credentials are configured on the host (shared credentials file / environment). SKILL.md documents API vs bulk modes. There is a small documentation/code mismatch (instructions mention compression of inputs/outputs, but the scripts do not appear to implement zipping).
- Install Mechanism
- okNo install spec and included code is pure Python. Network downloads (bulk mode) target the official AWS pricing host (pricing.us-east-1.amazonaws.com). There are no untrusted third-party download URLs or installers.
- Credentials
- noteThe skill declares no required env vars or credentials, which aligns with the repo, but API mode implicitly relies on the host's AWS credentials (via aws-cli). This is proportionate for querying pricing (requires pricing:GetProducts). The script writes cached bulk JSON into a user cache dir (~/.cache/aws-price-csv by default), which is expected but should be noted.
- Persistence & Privilege
- okNo special persistence or elevated privileges are requested (always:false). The skill writes only its own cache files and output CSVs; it does not modify other skills or system-wide agent settings.