ClawHub
Back to skill
v0.84.0

agent-bom discover snowflake

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 1:55 AM.

Analysis

The skill is a coherent Snowflake inventory helper, but it intentionally uses Snowflake authentication and external agent-bom tooling, so run it only with verified sources and least-privileged read-only access.

GuidanceBefore installing or running, verify the agent-bom source/version, use an operator-approved read-only Snowflake role, avoid pasting secrets into chat, choose a safe local output path, and protect or delete the generated inventory and findings files.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Default to discover-only: write JSON to an operator-selected path and stop. ... python examples/operator_pull/snowflake_inventory_adapter.py ... --output snowflake-inventory.json

The workflow asks the user to run local command-line tooling that connects to Snowflake and writes an inventory file; this is central to the skill's purpose and is constrained as discover-only.

User impactThe local commands will query Snowflake and create inventory/finding files on disk.
RecommendationReview the command, account, role, warehouse, and output path before running it; only run the scan step when you explicitly want findings generated.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
SKILL.md
Requires Python 3.11+, agent-bom installed with the snowflake extra ... python examples/operator_pull/snowflake_inventory_adapter.py

The instruction-only skill depends on an external agent-bom installation and example adapter script rather than bundled reviewed code.

User impactActual runtime behavior depends on the external agent-bom package and script the operator has installed.
RecommendationInstall agent-bom only from the listed GitHub/PyPI sources, pin or verify the version when possible, and review the adapter script before using it with Snowflake credentials.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
credentials: snowflake-read-only ... optional_env: ... SNOWFLAKE_PRIVATE_KEY_PATH ... SNOWFLAKE_TOKEN ... credential_policy: "Use the operator's existing Snowflake SSO, OAuth, or key-pair auth context... Do not ask users to paste passwords, private keys, or OAuth tokens into chat."

The skill explicitly relies on the operator's Snowflake authentication context, including potentially sensitive OAuth tokens or key-pair material, but frames it as read-only and tells the agent not to collect secrets in chat.

User impactRunning the workflow can access Snowflake account metadata using the user's delegated Snowflake permissions.
RecommendationUse a least-privileged read-only Snowflake role, prefer SSO/OAuth/key-pair auth over passwords, and do not paste passwords, private keys, passphrases, or tokens into the conversation.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
data_flow: "Operator Snowflake account -> read-only Snowflake queries/API calls -> canonical inventory JSON -> optional local agent-bom inventory scan... Credential-like values are redacted before persistence/export."

The skill persists Snowflake-derived inventory context to local JSON for later scanning; it says credentials are redacted, but the inventory itself can still be sensitive.

User impactInventory and findings files may reveal Snowflake assets, permissions used, query-history-related metadata, or AI-observability information.
RecommendationStore the generated JSON files in a protected location, inspect redaction before sharing, and delete outputs when they are no longer needed.