Azure Bicep Deploy
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s Azure deployment purpose is clear, but its copy-paste PowerShell scripts dynamically execute unescaped user-supplied command strings, which is risky for a cloud-deployment workflow.
Review before installing or using. The skill’s purpose matches its Azure deployment instructions, but treat it as capable of changing real cloud infrastructure. Prefer `what-if` validation first, verify the active Azure subscription and resource group, and do not copy the provided PowerShell scripts without replacing `Invoke-Expression` with safer argument handling.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the script is copied and run with unsafe or attacker-influenced inputs, it could execute commands on the user’s machine while the Azure CLI is authenticated.
The script interpolates user-controlled parameters into a command string and executes it with `Invoke-Expression`, so special characters in resource group names, template paths, or parameter paths could cause unintended PowerShell commands to run.
$command = "az deployment group create --resource-group $ResourceGroupName --name $deploymentName --template-file $TemplateFile" ... Invoke-Expression $command
Avoid `Invoke-Expression`; call `az` with structured argument arrays, quote and validate paths/resource names, and require explicit confirmation before deployment commands.
A deployment can change real Azure infrastructure, incur cost, or affect production resources if the wrong subscription, resource group, template, or parameter file is used.
The core workflow runs Azure deployment commands that can create or modify cloud resources. This matches the skill purpose, but it is high-impact and should be user-approved and scoped.
az deployment group create --resource-group <rg-name> --template-file <path-to-bicep> --parameters <params-file>.json
Run `what-if` first, confirm the subscription/resource group/environment, and use least-privilege Azure permissions, especially for staging or production.
The skill can act within the permissions of the selected Azure account and subscription.
The skill relies on the user's existing Azure CLI login and subscription context. That is expected for Azure deployment, but it means actions run with the privileges of the logged-in account.
Azure CLI authenticated (az login) ... az account set --subscription <sub-id>
Use a dedicated least-privilege account or service principal where possible, and verify the active subscription with `az account show` before running deployments.
Users must trust and maintain the local Azure CLI/Bicep installation used to perform deployments.
The skill is instruction-only and has no install spec, but its setup flow depends on external Azure CLI/Bicep tooling. This is normal for the stated purpose, though not declared in registry requirements.
az bicep install # Install Bicep
Install Azure CLI/Bicep from official sources, keep them updated, and verify the tool versions before use.