Back to skill
Skillv0.1.0
ClawScan security
Finops · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 5:17 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only FinOps advisory skill whose requested footprint (no installs, no env vars, no binaries) matches its stated purpose of providing guidance; nothing in the instructions asks for unrelated system access or hidden behavior.
- Guidance
- This skill is an instruction-only FinOps advisor and appears internally consistent. Before using it: do not paste long-lived cloud account keys or passwords into chat — if you want it to analyze billing data, prefer uploading exported billing reports (Cost CSV/CUR/BigQuery export) or grant read-only, narrowly scoped, temporary credentials. Verify suggested actions in a safe environment (e.g., test accounts) before applying changes that affect production or billing. The author/source is not a known homepage — treat recommendations as expert guidance to be validated against your organization's policies and approvals.
Review Dimensions
- Purpose & Capability
- okSkill name/description (FinOps guidance) align with the included content: framework, phases, capabilities, maturity, personas and terminology. It does not request unrelated resources or permissions.
- Instruction Scope
- okSKILL.md consists of FinOps guidance and templates. It does not instruct the agent to read local system files, access environment variables, run commands, or transmit data to third-party endpoints. The only actionable note is a high-level compatibility line that says implementing recommendations requires access to cloud billing data (expected for this domain).
- Install Mechanism
- okNo install spec and no code files — instruction-only. This limits the skill's on-disk activity and reduces risk. No downloads, third-party packages, or binaries are requested.
- Credentials
- noteThe skill notes that implementing recommendations requires access to cloud billing data, but it does not declare or require any environment variables or credentials. This is reasonable for an advisory skill, but users should be cautious when providing billing exports or credentials (use least privilege/read-only exports or temporary credentials).
- Persistence & Privilege
- okalways is false and the skill is user-invocable; there is no install step or persistent agent modification. The skill does not request elevated or persistent privileges.