Finops
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is an instruction-only FinOps guidance skill with no code or install steps, but users should be careful before giving it cloud billing access or approving resource/cost changes.
This appears safe as a reference/advisory skill. Before using it with real cloud accounts, limit billing access where possible and manually approve any recommendations that purchase commitments, change budgets or policies, stop resources, resize resources, or delete unused infrastructure.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to real cloud accounts, the agent could see sensitive spend and billing information, and connected tooling might allow changes that affect cloud costs.
Cloud billing and cost-management tools can expose financial/account information and may permit cost-affecting actions; this is aligned with the FinOps purpose but should be explicitly authorized and least-privileged.
compatibility: Requires access to cloud billing data and cost management tools when implementing recommendations
Grant only the minimum needed access, prefer read-only billing access for analysis, and require explicit approval for purchases, budget changes, tagging changes, or resource modifications.
Poorly reviewed implementation of these recommendations could stop, resize, or terminate resources and disrupt services or change spend.
The reference material describes automation examples that could mutate cloud resources or affect availability if implemented. The artifacts present them as FinOps guidance, not as hidden automatic execution.
Rightsizing | Auto-implement recommendations during low-traffic windows ... Scheduling | Auto-stop dev/test environments nights and weekends
Treat automation suggestions as proposals only; use change control, approvals, exclusions for critical systems, testing, and rollback plans before applying them.