Back to skill
Skillv1.0.0
ClawScan security
Iam Integration · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 19, 2026, 3:06 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only IAM integration guide whose requested artifacts (none) and instructions align with its stated purpose; it does not ask for credentials or install code.
- Guidance
- This instruction-only guide appears coherent and safe as documentation. Before relying on it: ensure your gateway actually enforces and injects X-ACCESS-TOKEN/X-Uid (do not trust client-supplied headers), validate JWT secrets and rotation policies within your own infra, enforce least privilege for any service accounts that call IAM, review the referenced client libraries for supply-chain risk before adding them to builds, and confirm network isolation so only authorized services can reach the IAM endpoints.
Review Dimensions
- Purpose & Capability
- okThe name/description say gRPC/REST IAM integration and the SKILL.md contains gRPC client usage, REST endpoints, headers, and data models. It does not request unrelated binaries, credentials, or config paths.
- Instruction Scope
- noteThe guide stays on-topic (token validation, permission checks, account lookup). It assumes a trusted gateway will set headers like X-Uid/X-ACCESS-TOKEN and recommends using a thread-local IamAuthContext; this is normal for IAM integration but relies on upstream trust — the doc does not instruct reading unrelated files or env vars.
- Install Mechanism
- okNo install spec and no code files are present; nothing will be written to disk or downloaded by the skill itself (lowest-risk model).
- Credentials
- okThe skill declares no required environment variables or credentials. The content references per-app JWT secrets conceptually but does not request secret keys or other unrelated credentials.
- Persistence & Privilege
- okalways:false and no install or persistent components. The skill does not request elevated persistence or to modify other skills or system-wide agent settings.