Back to skill
Skillv0.1.0
ClawScan security
K8s Debug · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 1:37 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with a kubectl-based Kubernetes debugging toolkit and do not request unrelated credentials or install arbitrary remote code.
- Guidance
- This skill appears coherent for Kubernetes troubleshooting. Before installing or running it: ensure you trust the author (source unknown), verify you have a correct kubectl context, and review the scripts locally. Be aware the network diagnostic script may kubectl exec into pods and read the container's serviceaccount token to test API access — that is normal for in-pod API probes but is sensitive data. Disruptive commands (delete, drain, rollout undo/restart) are present in examples and marked as requiring explicit confirmation; do not run those without understanding blast radius and having backups/rollbacks available.
Review Dimensions
- Purpose & Capability
- okThe name/description match the included scripts and reference docs. The files implement kubectl-driven cluster, network, and pod diagnostics (cluster_health.sh, network_debug.sh, pod_diagnostics.py) which are appropriate for a K8s debugging skill.
- Instruction Scope
- okSKILL.md instructs the agent to run local scripts and kubectl commands, perform read-only diagnostics by default, and require explicit confirmation for disruptive commands. Scripts operate on local kubectl context and in-cluster pods; they do not contain calls to external servers or instructions to exfiltrate data.
- Install Mechanism
- okNo install spec is provided (instruction-only with bundled scripts). That minimizes install-time risk; the skill expects existing tools like kubectl/jq rather than pulling remote binaries.
- Credentials
- noteThe skill declares no required env vars or credentials, which is appropriate. Note: network_debug.sh may exec into a pod and read the in-pod serviceaccount token (from /var/run/secrets/...) to run authenticated API probes — this is consistent with deep network diagnostics but is sensitive data inside the container. The scripts check RBAC and fall back if exec or tokens are not available.
- Persistence & Privilege
- okalways is false and there is no install-time modification of other skills or persistent agent settings. The skill runs on-demand and requires the user's kubectl context to operate.