Eks Workload Best Practice Assessment
ReviewAudited by ClawScan on May 10, 2026.
Overview
This instruction-only EKS assessment skill is purpose-aligned, but it needs broad Kubernetes/AWS read access and includes optional high-privilege setup examples users should treat carefully.
This skill appears suitable for EKS workload assessment, but run it with the least-privilege AWS and Kubernetes credentials you can. Confirm the target cluster and namespace scope, consider opting out of the default infrastructure-layer add-on if not needed, and do not blindly apply the README’s cluster-admin setup example in production.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may inspect broad Kubernetes configuration, including workload specs and RBAC metadata.
The skill relies on kubectl commands that can read broad cluster workload and RBAC configuration. This is expected for an EKS best-practice assessment, but users should ensure the correct cluster and scope are selected.
kubectl get deployments {NAMESPACE_FILTER} -o json
kubectl get clusterrolebindings -o json
kubectl get clusterroles -o jsonRun it only against intended clusters and namespaces, and use read-only Kubernetes permissions where possible.
If followed as-is, the EC2 role or principal could gain broad administrative control over the EKS cluster.
The README provides a user-directed setup example that grants cluster-wide EKS admin access. It also advises using more restrictive policies in production, so this is disclosed rather than hidden, but it is broader than a read-only assessment usually needs.
--policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy \ --access-scope type=cluster
Avoid granting cluster-admin for assessment unless truly required; prefer least-privilege read-only access scoped to the target namespaces or resources.
The agent may send best-practice search queries to external MCP providers during the assessment.
The workflow depends on external MCP documentation tools. The artifacts show these are used for best-practice research, not for sending collected cluster data, but users should still trust the configured MCP servers.
This skill requires: - **[aws knowledge mcp server]** tools: - `aws___search_documentation` - `aws___read_documentation` - **[context7 MCP]** tools:
Use trusted MCP server configurations and avoid including sensitive cluster details in documentation-search queries unless needed.
The assessment may include additional infrastructure review using another skill, potentially causing broader AWS/EKS inspection than the user expected.
The skill can invoke another skill by default to add infrastructure-layer results. This is disclosed and related, but it broadens the assessment beyond workload-only checks.
If infrastructure layer assessment is included (default: yes): 1. Invoke the `aws-best-practice-research` skill
Opt out of infrastructure-layer assessment if you only want workload-level checks, and review the other skill before allowing it to run.