Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Azure Bicep Deploy
v2.1.0Deploy and validate Azure Bicep and ARM templates to manage resources and multi-environment setups, including Azure Container Apps configurations.
⭐ 0· 309·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Azure Bicep deployment, validation, multi-environment support and Container Apps) match the included SKILL.md, example parameter files, and PowerShell helper scripts. All required functionality is served by az/bicep CLI usage documented in the files; no unrelated services or credentials are requested.
Instruction Scope
Runtime instructions and scripts run az and bicep CLI commands and reference local params/templates only. They include Invoke-Expression to execute constructed PowerShell commands; this is expected for quick deploy scripts but means you should review templates/parameters before running to avoid executing commands built from untrusted input. Scripts reference local files (params/, references/) and standard az endpoints only.
Install Mechanism
No install spec and no code files that download or write binaries; this is instruction-only and therefore low install risk. The scripts may call 'az bicep install' if the user lacks the Bicep CLI, which uses the official Azure CLI mechanism.
Credentials
The skill declares no required environment variables or credentials. It does require the user to have an authenticated Azure CLI session (az login) and appropriate subscription permissions — which is proportional and expected for deployment operations. Parameter files contain placeholders for sensitive values (e.g., registry password) but the skill does not request or store secrets itself.
Persistence & Privilege
Skill is not always-enabled and is user-invocable; it does not attempt to modify other skills or persist credentials. Autonomous invocation is allowed (platform default) but not combined with other privilege escalations in this package.
Assessment
This skill appears to do what it claims: provide guidance and helper scripts for building, validating, and deploying Bicep/ARM templates via the Azure CLI. Before using it: (1) Review templates and parameter files for any hard-coded secrets or unexpected resource changes; (2) don't run the included PowerShell scripts without inspecting them—Invoke-Expression is used to execute constructed commands, which is normal for deploy scripts but can run unexpected commands if inputs are tampered with; (3) perform a 'what-if' first and validate templates locally (az bicep build / az deployment group what-if); (4) use a least-privilege Azure identity (service principal or scoped role) rather than a broad subscription-owner account for automated deploys; (5) verify container images and any referenced registries and avoid placing plaintext credentials in params files. If you need more assurance, provide the exact Bicep templates you plan to deploy and have them reviewed for resource and permission changes.Like a lobster shell, security has layers — review code before you run it.
latestvk97ayb29wrcq0z0y3fzzrexjz982x43r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.