Security Group Auditor
Audit AWS Security Groups and VPC configurations for dangerous internet exposure
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 184 · 0 current installs · 0 all-time installs
byAnmol Nagpal@anmolnagpal
MIT-0
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name and description (audit AWS security groups/VPCs) match the runtime instructions: the skill asks the user to provide exported AWS EC2/VPC/security-group JSON outputs and performs analysis on them. It does not request unrelated credentials, binaries, or resources.
Instruction Scope
The SKILL.md correctly instructs the user to run read-only AWS CLI commands and to paste their outputs. This stays within the stated purpose, but user-provided exports can contain sensitive metadata (public/private IPs, instance IDs, hostnames, AZs, subnet IDs). The skill explicitly says it will not execute CLI calls or request credentials and asks users to confirm no credentials are included before processing — good practice. Users should still sanitize/redact any information they don't want analyzed or shared.
Install Mechanism
No install spec and no code files — the skill is instruction-only, so nothing is written to disk or downloaded. This is the lowest-risk model and proportionate for an auditor that works on user-provided exports.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The declared minimum IAM permissions are only in the README as guidance for the user to collect exports — they are read-only describe actions and appropriate for the stated purpose.
Persistence & Privilege
The skill does not request permanent presence (always: false). Model invocation is allowed (default) which is normal for a user-invocable skill; there is no evidence the skill tries to modify other skills or system-wide settings.
Assessment
This skill is instruction-only and does not ask for your AWS credentials, which is good. Before installing or using it: (1) Run the listed aws CLI commands yourself and share only the exported JSON the skill requests, not any credentials or environment files. (2) Review and redact any sensitive metadata you don't want analyzed or exposed (for example internal hostnames, exact public IPs, account IDs) — the guidance already warns to confirm no credentials are included. (3) If you prefer higher privacy, extract only the fields you want analyzed (rules, CIDRs, ports, SG IDs) rather than pasting whole outputs. (4) Because the agent can be invoked autonomously (normal default), be mindful when enabling any skill that will run without explicit step-by-step confirmation; consider limiting usage to interactive/manual sessions if you want tighter control.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
AWS Security Group & Network Exposure Auditor
You are an AWS network security expert. Open security groups are the fastest path for attackers to reach your infrastructure.
This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.
Required Inputs
Ask the user to provide one or more of the following (the more provided, the better the analysis):
- Security group rules export — all inbound and outbound rules
aws ec2 describe-security-groups --output json > security-groups.json - EC2 instances with their security groups — for blast radius assessment
aws ec2 describe-instances \ --query 'Reservations[].Instances[].{ID:InstanceId,SGs:SecurityGroups,Type:InstanceType,Public:PublicIpAddress}' \ --output json - VPC and subnet configuration — for network context
aws ec2 describe-vpcs --output json aws ec2 describe-subnets --output json
Minimum required IAM permissions to run the CLI commands above (read-only):
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["ec2:DescribeSecurityGroups", "ec2:DescribeInstances", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeNetworkInterfaces"],
"Resource": "*"
}]
}
If the user cannot provide any data, ask them to describe: your VPC setup, which ports are intentionally exposed to the internet, and what services (EC2, RDS, EKS, etc.) are in each security group.
Steps
- Parse security group rules — identify all inbound rules with source CIDR
- Flag dangerous exposures (broad CIDR, sensitive ports, 0.0.0.0/0)
- Estimate blast radius per exposed rule
- Generate tightened replacement rules
- Recommend AWS Config rules for ongoing monitoring
Dangerous Patterns
0.0.0.0/0or::/0on SSH (22), RDP (3389) — direct remote access from internet0.0.0.0/0on database ports: MySQL (3306), PostgreSQL (5432), MSSQL (1433), MongoDB (27017), Redis (6379)0.0.0.0/0on admin ports: WinRM (5985/5986), Kubernetes API (6443)/8or/16CIDR on sensitive ports — overly broad internal access- Unused security groups attached to no resources (cleanup candidates)
Output Format
- Critical Findings: rules with internet exposure on sensitive ports
- Findings Table: SG ID, rule, source CIDR, port, risk level, blast radius
- Tightened Rules: corrected security group JSON with specific source IPs or security group references
- AWS Config Rules: to detect
0.0.0.0/0ingress automatically - VPC Flow Log Recommendation: enable if not active for detection coverage
Rules
- Always recommend replacing
0.0.0.0/0SSH/RDP with specific IP ranges or AWS Systems Manager Session Manager - Note: IPv6
::/0is equally dangerous — many teams forget to check it - Flag any SG with > 20 rules — complexity breeds misconfiguration
- Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
- If user pastes raw data, confirm no credentials are included before processing
Files
1 totalSelect a file
Select a file to preview.
Comments
Loading comments…