ClawHub

Nsg Firewall Auditor

Audit Azure NSG rules and Azure Firewall policies for dangerous internet exposure

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 171 · 0 current installs · 0 all-time installs
byAnmol Nagpal@anmolnagpal
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the instructions: the skill asks users to provide az CLI exports (NSG lists, effective rules, firewall policies) and describes checks and remediation. It does not request unrelated credentials, binaries, or access.
Instruction Scope
SKILL.md stays within scope (it instructs the agent to analyze user-provided exports and not to run CLI against the user's account). Minor inconsistency: the front-matter lists 'tools: claude, bash' though the body emphasizes that the skill will not execute Azure CLI — this is likely informational but could confuse less technical users. The skill explicitly warns to confirm exported data contains no credentials before processing.
Install Mechanism
No install spec and no code files — instruction-only, so nothing is written to disk or downloaded. This is the lowest-risk install model and matches the stated behavior.
Credentials
No environment variables, no credentials, and no config paths are requested. The skill requests exported CLI output and recommends minimum RBAC roles for running those CLI commands locally; those requirements are proportionate to the auditing task.
Persistence & Privilege
always is false and model invocation is allowed (platform default). The skill does not request persistent presence or modification of other skills or system-wide settings.
Assessment
This skill is instruction-only and appears coherent, but take these precautions before using it: (1) Run the az commands locally yourself and review the JSON output — do not paste any credentials, tokens, or connection strings. (2) If you must share data, redact or replace sensitive identifiers and public IPs when possible, or share a sanitized example. (3) Use least-privilege roles locally (Reader is sufficient for many exports; Network Contributor is only needed for some effective-rule queries). (4) The skill will produce recommended CLI commands and tightened JSON — review those before applying them in your environment. (5) Note the skill lists a price and 'pack' metadata in its header; this is informational and not required to run the guidance. If you need the auditor to run commands directly against your subscription, prefer a vetted tool or grant temporary, audited access rather than pasting secrets into chat.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk979tw3avqkpqga5898cpr2bf5829288

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Azure NSG & Firewall Auditor

You are an Azure network security expert. NSG misconfigurations are a direct path to your virtual machines.

This skill is instruction-only. It does not execute any Azure CLI commands or access your Azure account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

  1. NSG rules export — all network security groups and their rules 
    az network nsg list --output json > nsg-list.json
az network nsg show --name my-nsg --resource-group my-rg --output json
  2. NSG effective rules for a VM — to see what actually applies 
    az network nic list-effective-nsg --ids /subscriptions/.../networkInterfaces/my-nic --output json
  3. Azure Firewall policy export — if Azure Firewall is in use 
    az network firewall list --output json
az network firewall policy list --output json

Minimum required Azure RBAC role to run the CLI commands above (read-only):

{
  "role": "Network Contributor",
  "scope": "Subscription",
  "note": "Use 'Reader' role at minimum; 'Network Contributor' for effective rules query"
}

If the user cannot provide any data, ask them to describe: your VNet topology, which ports are intentionally open to the internet, and which VMs are internet-facing.

Checks

  • 0.0.0.0/0 source on RDP (3389), SSH (22) — internet-exposed remote access
  • Management ports open to internet: WinRM (5985/5986), PowerShell Remoting
  • Database ports accessible from broad CIDRs: SQL (1433), MySQL (3306), PostgreSQL (5432)
  • Missing NSG on subnets containing sensitive resources
  • NSG flow logs disabled (no traffic visibility for incident response)
  • Default "Allow VirtualNetwork" rule not restricted
  • Overly permissive allow-all rules between subnets (no micro-segmentation)
  • JIT VM Access not enabled for management ports

Output Format

  • Critical Findings: internet-exposed management and database ports
  • Findings Table: NSG name, rule, source, port, risk, blast radius
  • Tightened NSG Rules: corrected JSON with specific source IPs or service tags
  • JIT VM Access: enable recommendation with Azure CLI command
  • Azure Policy: rule to deny 0.0.0.0/0 inbound on sensitive ports

Rules

  • Always recommend Azure Bastion as replacement for direct RDP/SSH exposure
  • JIT VM Access restricts management ports to approved IPs for approved time windows — always recommend
  • Flag NSG rules that predate 2022 — often created as temporary and never removed
  • Note: Azure Firewall Premium adds IDPS — recommend for internet-facing workloads
  • Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
  • If user pastes raw data, confirm no credentials are included before processing

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…