Back to skill
Skillv1.0.0
ClawScan security
Google Cloud CLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 6:46 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only wrapper for the official gcloud CLI that only requires the gcloud binary and enforces explicit user approval and context checks before running commands; its requirements and instructions are consistent with its stated purpose.
- Guidance
- This skill appears coherent and low-risk: install the official gcloud CLI from Google, and run the skill only in an environment where the active gcloud identity is a dedicated, least-privilege service account (not a personal or broad admin account). Always review the full command the agent presents before approving execution — the skill relies on your explicit approval for all operations. If your organization forbids use of service account keys or requires workload identity federation, follow those policies rather than authenticating with a long-lived key for this skill.
Review Dimensions
- Purpose & Capability
- okThe skill's name/description (gcloud CLI wrapper) matches the declared requirements: it only requires the gcloud binary and references only Google Cloud command groups. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- okSKILL.md confines behavior to discovering command syntax via `gcloud <group> --help`, checking active gcloud account/project, presenting the full command, and waiting for explicit user approval before execution. It does not instruct reading unrelated files, exfiltrating data, or contacting external endpoints.
- Install Mechanism
- okThere is no automated install spec; the skill points to the official gcloud installation docs (manual install). No archives or third-party downloads are specified, so nothing is written/executed by the skill itself.
- Credentials
- okNo environment variables or external credentials are declared. The skill uses the local gcloud authentication/configuration context (expected for a gcloud wrapper). Users must be aware that whatever identity is active locally will be used, so least-privilege service accounts are recommended.
- Persistence & Privilege
- okThe skill is user-invocable, not always-on, and disables model invocation (so it cannot execute autonomously). It requests no system-wide persistence or modification of other skills' configurations.