Cloudmigrate
Security checks across malware telemetry and agentic risk
Overview
This cloud-migration skill is purpose-aligned overall, but it asks for broad multi-cloud credentials and deployment tooling with unclear approval boundaries, and the scan found an apparent hardcoded password in the instructions.
Review this skill before installing. It may be useful for cloud migration work, but only use least-privilege temporary credentials, avoid production accounts by default, inspect all generated IaC and CLI commands, and require explicit confirmation before any deployment, apply, delete, or cloud-cost-incurring action.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed with powerful credentials, the agent could potentially access or change cloud accounts, create resources, alter deployments, or incur costs across multiple providers.
The skill requires credentials for all three major cloud providers, including long-lived access keys and service account material, even though many use cases may only need planning or one provider.
"env": ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AZURE_SUBSCRIPTION_ID", "AZURE_CLIENT_ID", "AZURE_CLIENT_SECRET", "GCP_PROJECT_ID", "GCP_SERVICE_ACCOUNT_JSON"]
Use temporary, least-privilege, environment-specific credentials; provide only the provider credentials needed for the current task; prefer sandbox accounts; and require explicit approval before any apply, deploy, delete, or cost-incurring action.
An agent using this skill could run high-impact infrastructure commands that affect production systems or create unexpected cloud charges if not tightly supervised.
These tools are appropriate for infrastructure automation, but together they provide broad authority to provision, modify, deploy, and run infrastructure or containers; the artifacts do not clearly limit execution scope or approval requirements.
Required binaries (all must exist): terraform, ansible, aws-cli, az, gcloud, docker
Run generated plans in review mode first, require user confirmation before execution, restrict accounts/projects/subscriptions, and avoid granting production permissions unless absolutely necessary.
A user may install the skill expecting file transfer or sync help while actually granting authority suitable for broad cloud infrastructure automation.
The frontmatter name references SFTP transfers and Google Drive sync, while the description and body present a multi-cloud IaC and deployment automation skill. This inconsistency can mislead users about what the skill actually does.
name: Migrate Cloud Data with Automated SFTP Transfers & Google Drive Sync
Clarify the skill name and scope so it accurately matches the cloud-migration and infrastructure-deployment behavior.
Hardcoded secrets may be copied into generated infrastructure files, repositories, logs, or shared plans, increasing the chance of credential leakage.
The static scan reported an apparent hardcoded password literal in the instruction file. Even if this is an example, hardcoded passwords in IaC-style guidance are unsafe and can encourage credential exposure.
password = [REDACTED]
Replace hardcoded passwords with secret-manager references, environment variables, or clearly fake placeholders, and instruct users never to commit secrets into generated IaC.