Cloud Misconfig Scanner
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s cloud-scanning purpose is coherent, but it asks users to submit cloud provider credentials to an external API without clear least-privilege, scope, or data-handling boundaries.
Review this skill carefully before installing or using it. If you proceed, use a dedicated temporary read-only cloud role or key with the smallest possible scope, never an administrator credential, and verify the service operator and data-handling terms first.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user provides broad or long-lived cloud credentials, the external service could gain extensive access to cloud resources under those credentials.
The skill requires raw cloud provider credentials, but does not define least-privilege roles, read-only policies, temporary credentials, or permission boundaries for the scan-only purpose.
| `credentials` | object | Yes | Provider-specific authentication credentials including access keys, secret keys, tokens, or service account data required to authenticate and access cloud resources |
Use only dedicated, short-lived, read-only credentials or roles with the minimum permissions needed for scanning; do not provide admin keys, and rotate or revoke credentials after use.
An agent could initiate a broad scan using whatever cloud authority the supplied credentials have, potentially exposing more of the environment than intended.
The endpoint schema only requires a provider and credentials, and does not model resource scope, account scope, read-only constraints, exclusions, or an explicit approval/dry-run control for a broad cloud scan.
"required": ["provider", "credentials"]
Require explicit user confirmation and add narrow scope controls such as account IDs, regions, projects, resource filters, and documented read-only permission policies.
Cloud credentials and cloud inventory details may leave the user’s environment and be processed by a third-party service with unclear data-handling guarantees.
The documented workflow sends scan requests to an external API gateway, while the same skill requires cloud credentials and returns resource-level findings; no artifact describes credential handling, retention, storage, or sharing boundaries.
**Kong Route:** https://api.mkkpro.com/security/cloud-misconfig-scanner
Verify the operator and privacy/security terms before use, avoid sending production admin credentials, and prefer temporary scoped roles with audit logging enabled.
It may be harder for users to verify who operates the service or whether it is trustworthy enough to receive cloud credentials.
Registry provenance is sparse for a remote service that requests sensitive cloud account credentials, although SKILL.md does provide ToolWeb and API reference links.
Source: unknown; Homepage: none
Confirm the vendor identity, documentation, security posture, and support channel before providing any real cloud credentials.