Lap Access Analyzer
Access Analyzer API skill. Use when working with Access Analyzer for archive-rule, policy, access-preview. Covers 35 endpoints.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 23 · 0 current installs · 0 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md describes AWS Access Analyzer endpoints (coherent with the name/description). However the declared required environment variable is a single ACCESS_ANALYZER_API_KEY, which does not match AWS SigV4's usual credential model (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, optional AWS_SESSION_TOKEN, region). The skill's purpose is plausible but the credential requirement is mismatched and unexplained.
Instruction Scope
Instructions say to 'Configure auth: AWS SigV4' but do not specify where credentials come from, what environment variables or config files to use, or the service base URL. The doc references an internal file (references/api-spec.lap) that isn't present. The vagueness could cause an agent to search environment variables, AWS profiles, or config files to find credentials, which expands scope beyond what's declared.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be written to disk during install. That reduces installation risk.
Credentials
Only ACCESS_ANALYZER_API_KEY is declared as required, which is unusual for a SigV4-based AWS integration. The skill may actually need standard AWS credentials or access to ~/.aws/ files, yet those are not declared. The declared env var appears insufficient and disproportionate to the stated SigV4 auth method.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always is false), and there is no install script modifying other skills or system-wide configs.
What to consider before installing
Do not install or grant credentials yet. Ask the publisher to clarify how authentication works: why a single ACCESS_ANALYZER_API_KEY is required when SKILL.md specifies AWS SigV4, whether the skill will use standard AWS env vars or look in ~/.aws/, and what the base URL is. Because the instructions are vague, an agent could try to read any AWS credentials available (environment variables, AWS profiles, or credential files). If you proceed, supply a least-privileged IAM credential scoped only to Access Analyzer actions, avoid using root credentials, and prefer creating a dedicated IAM user/role with narrow permissions. Prefer an implementation that uses the official AWS SDK or an audited connector and that documents exact env vars and endpoints. If the source/homepage is unknown, treat the skill as untrusted until provenance and auth behavior are clarified.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvACCESS_ANALYZER_API_KEY
SKILL.md
Access Analyzer
API version: 2019-11-01
Auth
AWS SigV4
Base URL
Not specified.
Setup
- Configure auth: AWS SigV4
- GET /analyzed-resource -- verify access
- POST /policy/check-access-not-granted -- create first check-access-not-granted
Endpoints
35 endpoints across 10 groups. See references/api-spec.lap for full details.
archive-rule
| Method | Path | Description |
|---|---|---|
| PUT | /archive-rule | Retroactively applies the archive rule to existing findings that meet the archive rule criteria. |
policy
| Method | Path | Description |
|---|---|---|
| PUT | /policy/generation/{jobId} | Cancels the requested policy generation. |
| POST | /policy/check-access-not-granted | Checks whether the specified access isn't allowed by a policy. |
| POST | /policy/check-no-new-access | Checks whether new access is allowed for an updated policy when compared to the existing policy. You can find examples for reference policies and learn how to set up and run a custom policy check for new access in the IAM Access Analyzer custom policy checks samples repository on GitHub. The reference policies in this repository are meant to be passed to the existingPolicyDocument request parameter. |
| POST | /policy/check-no-public-access | Checks whether a resource policy can grant public access to the specified resource type. |
| GET | /policy/generation/{jobId} | Retrieves the policy that was generated using StartPolicyGeneration. |
| GET | /policy/generation | Lists all of the policy generations requested in the last seven days. |
| PUT | /policy/generation | Starts the policy generation request. |
| POST | /policy/validation | Requests the validation of a policy and returns a list of findings. The findings help you identify issues and provide actionable recommendations to resolve the issue and enable you to author functional policies that meet security best practices. |
access-preview
| Method | Path | Description |
|---|---|---|
| PUT | /access-preview | Creates an access preview that allows you to preview IAM Access Analyzer findings for your resource before deploying resource permissions. |
| GET | /access-preview/{accessPreviewId} | Retrieves information about an access preview for the specified analyzer. |
| POST | /access-preview/{accessPreviewId} | Retrieves a list of access preview findings generated by the specified access preview. |
| GET | /access-preview | Retrieves a list of access previews for the specified analyzer. |
analyzer
| Method | Path | Description |
|---|---|---|
| PUT | /analyzer | Creates an analyzer for your account. |
| PUT | /analyzer/{analyzerName}/archive-rule | Creates an archive rule for the specified analyzer. Archive rules automatically archive new findings that meet the criteria you define when you create the rule. To learn about filter keys that you can use to create an archive rule, see IAM Access Analyzer filter keys in the IAM User Guide. |
| DELETE | /analyzer/{analyzerName} | Deletes the specified analyzer. When you delete an analyzer, IAM Access Analyzer is disabled for the account or organization in the current or specific Region. All findings that were generated by the analyzer are deleted. You cannot undo this action. |
| DELETE | /analyzer/{analyzerName}/archive-rule/{ruleName} | Deletes the specified archive rule. |
| GET | /analyzer/{analyzerName} | Retrieves information about the specified analyzer. |
| GET | /analyzer/{analyzerName}/archive-rule/{ruleName} | Retrieves information about an archive rule. To learn about filter keys that you can use to create an archive rule, see IAM Access Analyzer filter keys in the IAM User Guide. |
| GET | /analyzer | Retrieves a list of analyzers. |
| GET | /analyzer/{analyzerName}/archive-rule | Retrieves a list of archive rules created for the specified analyzer. |
| PUT | /analyzer/{analyzerName}/archive-rule/{ruleName} | Updates the criteria and values for the specified archive rule. |
recommendation
| Method | Path | Description |
|---|---|---|
| POST | /recommendation/{id} | Creates a recommendation for an unused permissions finding. |
| GET | /recommendation/{id} | Retrieves information about a finding recommendation for the specified analyzer. |
analyzed-resource
| Method | Path | Description |
|---|---|---|
| GET | /analyzed-resource | Retrieves information about a resource that was analyzed. |
| POST | /analyzed-resource | Retrieves a list of resources of the specified type that have been analyzed by the specified external access analyzer. This action is not supported for unused access analyzers. |
finding
| Method | Path | Description |
|---|---|---|
| GET | /finding/{id} | Retrieves information about the specified finding. GetFinding and GetFindingV2 both use access-analyzer:GetFinding in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:GetFinding action. |
| POST | /finding | Retrieves a list of findings generated by the specified analyzer. ListFindings and ListFindingsV2 both use access-analyzer:ListFindings in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:ListFindings action. To learn about filter keys that you can use to retrieve a list of findings, see IAM Access Analyzer filter keys in the IAM User Guide. |
| PUT | /finding | Updates the status for the specified findings. |
findingv2
| Method | Path | Description |
|---|---|---|
| GET | /findingv2/{id} | Retrieves information about the specified finding. GetFinding and GetFindingV2 both use access-analyzer:GetFinding in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:GetFinding action. |
| POST | /findingv2 | Retrieves a list of findings generated by the specified analyzer. ListFindings and ListFindingsV2 both use access-analyzer:ListFindings in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:ListFindings action. To learn about filter keys that you can use to retrieve a list of findings, see IAM Access Analyzer filter keys in the IAM User Guide. |
tags
| Method | Path | Description |
|---|---|---|
| GET | /tags/{resourceArn} | Retrieves a list of tags applied to the specified resource. |
| POST | /tags/{resourceArn} | Adds a tag to the specified resource. |
| DELETE | /tags/{resourceArn} | Removes a tag from the specified resource. |
resource
| Method | Path | Description |
|---|---|---|
| POST | /resource/scan | Immediately starts a scan of the policies applied to the specified resource. |
Common Questions
Match user requests to endpoints in references/api-spec.lap. Key patterns:
- "Update a generation?" -> PUT /policy/generation/{jobId}
- "Create a check-access-not-granted?" -> POST /policy/check-access-not-granted
- "Create a check-no-new-access?" -> POST /policy/check-no-new-access
- "Create a check-no-public-access?" -> POST /policy/check-no-public-access
- "Delete a analyzer?" -> DELETE /analyzer/{analyzerName}
- "Delete a archive-rule?" -> DELETE /analyzer/{analyzerName}/archive-rule/{ruleName}
- "Get access-preview details?" -> GET /access-preview/{accessPreviewId}
- "List all analyzed-resource?" -> GET /analyzed-resource
- "Get analyzer details?" -> GET /analyzer/{analyzerName}
- "Get archive-rule details?" -> GET /analyzer/{analyzerName}/archive-rule/{ruleName}
- "Get finding details?" -> GET /finding/{id}
- "Get recommendation details?" -> GET /recommendation/{id}
- "Get findingv2 details?" -> GET /findingv2/{id}
- "Get generation details?" -> GET /policy/generation/{jobId}
- "List all access-preview?" -> GET /access-preview
- "Create a analyzed-resource?" -> POST /analyzed-resource
- "List all analyzer?" -> GET /analyzer
- "List all archive-rule?" -> GET /analyzer/{analyzerName}/archive-rule
- "Create a finding?" -> POST /finding
- "Create a findingv2?" -> POST /findingv2
- "List all generation?" -> GET /policy/generation
- "Get tag details?" -> GET /tags/{resourceArn}
- "Create a scan?" -> POST /resource/scan
- "Delete a tag?" -> DELETE /tags/{resourceArn}
- "Update a archive-rule?" -> PUT /analyzer/{analyzerName}/archive-rule/{ruleName}
- "Create a validation?" -> POST /policy/validation
- "How to authenticate?" -> See Auth section
Response Tips
- Check response schemas in references/api-spec.lap for field details
- Create/update endpoints typically return the created/updated object
References
- Full spec: See references/api-spec.lap for complete endpoint details, parameter tables, and response schemas
Generated from the official API spec by LAP
Files
1 totalSelect a file
Select a file to preview.
Comments
Loading comments…