Aws Fis Experiment Execute
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is transparent about running AWS chaos experiments, but it deserves review because it can disrupt cloud resources and broadly scans or logs all accessible EKS clusters, including sensitive Kubernetes data.
Install only if you intend to run controlled AWS FIS chaos experiments. Use a tightly scoped AWS profile and kubeconfig, verify the template/actions/stop conditions before confirming, and limit or disable broad EKS discovery and log collection unless you are comfortable with Secrets and application logs being inspected.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong account, region, template, or stop condition is used, the experiment could disrupt production services.
The skill intentionally invokes AWS FIS, which can disrupt real infrastructure. The artifacts also disclose safety checks and require explicit confirmation, so this is purpose-aligned but high-impact.
FIS experiments affect **real production resources**. Starting without proper confirmation, impact review, or stop conditions risks unintended damage. ... **Starts the experiment** only after explicit user confirmation.
Before confirming, verify the AWS account, region, template ID, action list, affected resources, duration, and stop conditions; run with a least-privilege role.
The agent may enumerate and inspect unrelated clusters or workloads if the AWS/kubectl identity has broad access.
The instructions expand from the prepared experiment to every EKS cluster the current credentials can access in the region, which is broader than a specific experiment target.
loads `app-service-log-analysis` skill to discover ALL EKS clusters in the target region ... deep-scans all accessible clusters in parallel
Use a dedicated, least-privilege AWS profile and kubeconfig limited to the intended cluster(s); require explicit user selection before scanning clusters or namespaces.
Sensitive values, credentials, customer data, or operational logs could be collected into reports or raw log files.
The skill directs the agent to read Kubernetes Secrets, configuration, environment data, and live application logs across accessible clusters, but the artifacts do not define redaction, retention, or narrow scope controls.
deep-scans all accessible clusters in parallel for application dependencies (env vars, ConfigMaps, Secrets, ExternalName, etc.), and starts background `kubectl logs -f` **before the experiment starts**
Exclude Kubernetes Secrets by default, redact logs, define retention and storage locations, and require opt-in for each cluster/namespace and log source.
Actual data collection behavior depends partly on a separate skill that must be trusted and reviewed independently.
A separate skill, not included in the provided artifact contents, performs important discovery and log-analysis behavior.
**REQUIRED SUB-SKILL:** `app-service-log-analysis` must be installed. Loaded at runtime for application discovery, log collection, and analysis.
Install `app-service-log-analysis` only from a trusted source and review its permissions, log handling, and cleanup behavior before using this skill.
If the session crashes or is interrupted, log-following processes could continue longer than intended.
The background log collection is disclosed and purpose-aligned, but it creates long-running processes that should be bounded and cleaned up.
starts background `kubectl logs -f` **before the experiment starts**
Confirm the skill records process IDs, stops collectors on abort or completion, and provides cleanup commands for interrupted runs.