Skillv0.1.0

ClawScan security

Cloud Architect · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 7, 2026, 2:16 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and references are consistent with its stated purpose as a cloud-architecture guidance skill and do not request unexpected installs, credentials, or system access.
Guidance: This skill appears coherent and is documentation-style guidance for cloud architecture. Before installing or using it: (1) verify the author/source (registry metadata shows an owner id but no homepage), (2) do not paste real credentials or secrets into prompts or sample code, (3) treat code snippets as examples—review and test IaC/automation in a safe environment before applying to production, and (4) if you need the agent to perform live actions (create resources, run commands), prefer creating short-lived service accounts/keys with least privilege and rotate them after use.

Review Dimensions

Purpose & Capability: okName and description (multi-cloud architecture, migrations, cost, Well-Architected) align with the included SKILL.md and the large set of provider-specific reference documents (AWS, Azure, GCP, cost, multi-cloud). The materials and templates present are what you'd expect from a cloud-architect guidance skill.
Instruction Scope: okSKILL.md defines an architect role, workflows, constraints, and output templates; it does not instruct the agent to read local files, system configuration, or to exfiltrate data. The reference files contain example code snippets (e.g., checking instance metadata, using environment vars for API keys) that are typical documentation examples but are not runtime directives to access secrets or host internals.
Install Mechanism: okNo install spec and no code files that would be written to disk — the skill is instruction-only, which is the lowest-risk install profile and consistent with a documentation-style architecture skill.
Credentials: noteThe skill declares no required environment variables or credentials. Some example snippets in reference files show use of environment variables (e.g., ACCESS_KEY/SECRET_KEY) and the EC2 metadata URL; these are expected illustrative examples for cloud operations. They do not mean the skill requires credentials, but users should avoid pasting real secrets into prompts or storing credentials in example code as the skill itself does not manage secrets.
Persistence & Privilege: okalways is false, no install or config-path writes, and the skill does not request elevated or persistent privileges. It can be invoked by the agent (normal default), but nothing in the package grants it broader system presence or privileges.