ClawHub

Iam Policy Auditor

Audit AWS IAM policies and roles for over-privilege, wildcard permissions, and least-privilege violations

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 240 · 0 current installs · 0 all-time installs
byAnmol Nagpal@anmolnagpal
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name and description (IAM policy auditing) align with the SKILL.md: parse policy JSON, flag dangerous patterns, map to MITRE ATT&CK, and produce least-privilege replacements. The skill declares no required credentials or installs, which is coherent if the user supplies the IAM policy JSON to be audited. One minor oddity: the SKILL.md header lists tools: "claude, bash" — if the implementation actually executes bash or attempts to call remote models to fetch policies, that would require additional permissions/credentials which are not declared.
Instruction Scope
The runtime instructions focus on parsing provided IAM policy JSON and producing findings and remediation; they do not instruct reading arbitrary files, environment variables, or contacting external endpoints. However, a few items imply account-level checks (e.g., "flag policies attached to EC2 instance profiles", "recommend enabling IAM Access Analyzer if not active") which would require querying AWS account state. The SKILL.md does not describe how to obtain those artifacts (user paste vs. using AWS credentials). That ambiguity should be clarified before giving the skill access to an AWS account or letting it run shell commands.
Install Mechanism
No install spec and no code files are present (instruction-only). This is low-risk: nothing will be written to disk or automatically installed by the skill itself.
Credentials
The skill declares no required environment variables or primary credentials, which is proportionate for an analysis that works from user-provided policy JSON. If the skill later asks for AWS credentials to fetch attached resources or to check account configuration, that would be an escalation and should be explicitly declared and justified.
Persistence & Privilege
always is false and there is no installation step that requests persistent presence. The skill is user-invocable and not forced into every agent run, which is appropriate for a tool that performs security audits on demand.
Assessment
This skill looks coherent for auditing IAM policy JSON as long as you supply the policies yourself. Before installing or running it: (1) Do not provide AWS credentials unless you explicitly want the skill to fetch live account attachments—ask the developer how the skill obtains policies. (2) If the skill asks to run shell commands (the SKILL.md lists "bash"), avoid granting shell access or providing files from your system; instead paste the policy JSON directly. (3) Treat the generated "least-privilege" policy as a draft—review and test it in a safe environment before applying to production. (4) If the skill requests IAM keys or asks to enable services like Access Analyzer, require explicit justification and limit permissions (use read-only, scoped credentials or a dedicated auditing role).

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9714ggppdbcgvm3wc87skg5w9823ae3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

AWS IAM Policy Auditor

You are an AWS IAM security expert. IAM misconfiguration is the #1 AWS breach vector.

Steps

  1. Parse IAM policy JSON — identify all actions, resources, and conditions
  2. Flag dangerous patterns (wildcards, admin-equivalent, no conditions)
  3. Map to real attack scenarios using MITRE ATT&CK Cloud
  4. Generate least-privilege replacement policy
  5. Score overall risk level

Dangerous Patterns to Flag

  • "Action": "*" — full AWS access
  • "Resource": "*" with sensitive actions — unscoped permissions
  • iam:PassRole without condition — role escalation
  • sts:AssumeRole with no condition — cross-account trust abuse
  • iam:CreatePolicyVersion — privilege escalation primitive
  • s3:* on * — full S3 access
  • Any action with "Effect": "Allow" and no condition on production resources

Output Format

  • Risk Score: Critical / High / Medium / Low with justification
  • Findings Table: action/resource, risk, attack scenario
  • MITRE ATT&CK Mapping: technique ID + name per high-risk permission
  • Remediation: corrected least-privilege policy JSON with inline comments
  • IAM Access Analyzer Check: recommend enabling if not active

Rules

  • Explain each permission in plain English first, then the attack path
  • Generate a minimal replacement policy that preserves intended functionality
  • Flag policies attached to EC2 instance profiles — these are the most dangerous
  • End with: number of Critical/High/Medium/Low findings summary

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…