Komodo
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears purpose-aligned for managing Komodo infrastructure, but it should be used carefully because it can act on real deployments using Komodo API credentials.
Install only if you intend to let the agent help manage Komodo infrastructure. Provide a least-privilege Komodo API key, double-check commands that deploy, stop, restart, run, or destroy resources, and avoid pasting secrets into configs or logs that may be shown in the chat.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A correctly authenticated command can stop, restart, deploy, or destroy Komodo-managed resources.
The skill includes direct control commands for stacks, including destructive operations. This is consistent with a Komodo infrastructure management skill, but users should recognize the operational impact.
destroy: "DestroyStack", ... const result = await komodo.execute_and_poll(op, { stack });Use explicit user confirmation for destructive or production-impacting actions, and verify the target stack/deployment name before running commands.
The skill can act with whatever permissions the supplied Komodo API key has.
The skill uses Komodo API credentials from environment variables. That is expected for this integration, but those credentials may carry broad Komodo permissions and are not declared in the registry metadata.
const key = process.env.KOMODO_API_KEY; const secret = process.env.KOMODO_API_SECRET; ... params: { key, secret }Use a least-privilege Komodo API key scoped to the intended resources and actions, and update registry metadata to declare the required environment variables.
Future dependency versions could change behavior when rebuilding or running from source.
If a user rebuilds or runs the TypeScript path after installing dependencies, semver ranges can resolve to newer package versions than the reviewed artifact.
"komodo_client": "^1.19.5", "@types/bun": "latest"
Pin dependency versions and include a lockfile/provenance if source builds are expected.