Back to skill
Skillv1.0.1
ClawScan security
Google Cloud Platform · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 8:34 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements match its stated purpose (managing GCP via the gcloud/firebase/gsutil CLIs); it is coherent but will install CLIs and require GCP credentials so proceed with standard operational caution.
- Guidance
- This SKILL.md is coherent for managing GCP, but before installing or running it: 1) Be aware the install will write files to your home and modify ~/.bashrc; back up that file. 2) Authentication steps (gcloud auth login / firebase login) create local credentials—prefer using a minimally-privileged service account or short-lived credentials for automation. 3) The commands can start/stop/delete resources and SSH into VMs—review commands and required IAM roles carefully to avoid accidental disruption. 4) The downloads come from dl.google.com and npm (official sources), but the skill registry entry has no homepage and an unknown owner; treat it like third-party instructions rather than an official Google package. 5) If you want the agent to act autonomously, restrict its IAM scope and consider requiring manual invocation to avoid unintended changes.
Review Dimensions
- Purpose & Capability
- okName and description (GCP management) align with the provided runtime instructions: installation and usage examples for gcloud, gsutil, and firebase covering Compute Engine, Cloud Run, Cloud Storage, logging, billing, and SSH.
- Instruction Scope
- noteSKILL.md contains concrete commands limited to installing CLIs, authenticating (gcloud auth login / firebase login), and running gcloud/gsutil/firebase commands. It does modify the user shell (.bashrc) and asks the agent/operator to run interactive auth and SSH commands; these are expected for the stated purpose but do result in local credentials and remote access capability being created/stored.
- Install Mechanism
- noteThe install steps in SKILL.md download google-cloud-cli from dl.google.com (an official Google host) and instruct npm install -g firebase-tools from the public npm registry. Both are expected for this skill, but they will write files to the user's home and modify shell startup files.
- Credentials
- noteThe skill declares no environment variables, which is consistent, but its operations require valid GCP credentials (created via interactive auth or pre-existing ADC/service-account keys). Those credentials grant powerful permissions depending on IAM roles — the skill does not request explicit least-privilege guidance, so be careful to use limited roles/service accounts.
- Persistence & Privilege
- noteThe skill does not request always: true and is user-invocable. However, following the instructions will install CLIs and update ~/.bashrc (persistent changes). This is normal for CLI tooling but is a local change with lasting effects.