Watadot Aws Cloudwatch
PassAudited by ClawScan on May 10, 2026.
Overview
This skill coherently documents AWS CloudWatch read commands, but users should ensure it runs only with an appropriately scoped AWS profile because logs and metrics may be sensitive.
Before installing, confirm you want the agent to help run AWS CloudWatch read commands. Use a least-privilege AWS profile, specify the intended region and log groups, and remember that CloudWatch logs may contain sensitive data.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with a broad AWS profile, the agent could view CloudWatch logs, alarms, metrics, and dashboard names available to that identity.
The skill uses the AWS CLI to access CloudWatch logs and metrics, which will operate under the user's configured AWS identity. This is purpose-aligned, but the artifacts do not specify a profile, account, region, or least-privilege role.
requires:\n anyBins: [aws]\n...\naws logs tail /aws/lambda/<function-name> --follow\n...\naws logs filter-log-events --log-group-name <name> --filter-pattern "ERROR"
Use an explicit read-only AWS profile or role limited to the intended account, region, and log groups; add `--profile` and `--region` when running commands.
A log-tail session could continue showing new CloudWatch log entries while it remains active.
The skill documents a raw AWS CLI log-tail command. This is central to the stated log monitoring purpose, but `--follow` will keep streaming until stopped.
aws logs tail /aws/lambda/<function-name> --follow
Run tailing only for the intended log group and stop the command once troubleshooting is complete.