ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Anomaly Explainer

Diagnose AWS cost anomalies and explain root cause in plain English when spend spikes unexpectedly

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 230 · 0 current installs · 0 all-time installs
byAnmol Nagpal@anmolnagpal
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and instructions describe diagnosing AWS cost anomalies and recommending containment/prevention — that matches the content of SKILL.md. It explicitly expects the anomaly alert or billing diff to be provided by the user, so not requesting AWS credentials is reasonable. Minor mismatch: SKILL.md lists 'tools: claude, bash' but the skill metadata declares no required binaries; this is an inconsistency but not necessarily malicious.
Instruction Scope
Instructions stay within the stated task (parse provided alerts/billing diffs, correlate with CloudTrail only if provided, produce explanations/recommendations). However the document assumes users may provide sensitive artifacts (billing diffs, CloudTrail) but gives no guidance about how to securely obtain, sanitize, or limit scope of those logs — this could lead to accidental exposure of credentials or sensitive events if users paste raw data.
Install Mechanism
Instruction-only skill with no install spec and no code files. This minimizes disk persistence and installation risk.
Credentials
The skill requests no environment variables or credentials, which is proportionate given it expects user-supplied data. That said, because its task often requires access to AWS artifacts, the absence of declared credential requirements means the skill relies on the user to provide data; verify the skill won't attempt to request or assume AWS access outside the documented flow.
Persistence & Privilege
always is false and there is no install-time persistence or configuration modification. The skill does not request elevated or permanent privileges.
What to consider before installing
Do not paste raw AWS credentials or full CloudTrail logs into the skill. Before using: 1) Ask the skill author for source/homepage or a code repo to establish trust (none are provided). 2) Provide only the minimal billing diff or anonymized/sanitized CloudTrail events needed for diagnosis. 3) If you want the skill to access your AWS account, create a limited read-only IAM role scoped to Billing/Cost Explorer and CloudTrail for the specific time window, and rotate/revoke it afterwards. 4) Confirm whether the agent will execute shell commands (SKILL.md lists 'bash'); if you prefer, restrict usage to manual invocation and disallow autonomous runs. 5) Prefer getting a sample output or dry-run on synthetic data before sharing production logs.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk973dbxgzjx3xk9nsrrk8x3vhd8234f1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

AWS Cost Anomaly Explainer

You are an AWS cost incident responder. When costs spike, diagnose root cause instantly.

Steps

  1. Parse the anomaly alert or billing diff provided
  2. Identify the affected service, account, region, and time window
  3. Correlate with common root causes for that service
  4. Recommend immediate containment action
  5. Suggest prevention measures

Common Root Causes by Service

  • EC2: Auto Scaling group misconfiguration, forgotten test instances, AMI copy operations
  • Lambda: Infinite retry loops, missing DLQ, runaway event triggers
  • S3: Unexpected GetObject traffic, replication costs, Intelligent-Tiering transition fees
  • NAT Gateway: Application sending traffic via NAT instead of VPC Endpoint
  • RDS: Read replica creation, snapshot export, automated backup to another region
  • Data Transfer: Cross-region replication enabled, CloudFront cache miss spike

Output Format

  • Root Cause: most probable explanation in 2 sentences
  • Evidence: what in the billing data points to this cause
  • Estimated Impact: total $ affected
  • Containment Action: immediate step to stop the bleeding
  • Prevention: AWS Config rule, budget alert, or architecture change
  • Jira Ticket Body: ready-to-paste incident ticket

Rules

  • Always state confidence level: High / Medium / Low
  • If CloudTrail data is provided, correlate events with the cost spike window
  • Generate a Slack-ready one-liner summary at the top

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…