ClawHub

Tagging Auditor

Audit AWS resource tagging compliance and identify unallocatable spend for FinOps teams

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 192 · 0 current installs · 0 all-time installs
byAnmol Nagpal@anmolnagpal
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (AWS tagging and identifying unallocatable spend) matches the SKILL.md: it asks for tag exports, Cost Explorer/ CUR data, and produces tagging scores, coverage tables, AWS Config rules, SCP snippets, and remediation CLI commands. No unrelated capabilities, binaries, or credentials are requested.
Instruction Scope
The runtime instructions are focused on receiving user-provided AWS exports (Resource Groups Tagging API JSON, Cost Explorer CSV/ CUR outputs) and analyzing them. The SKILL.md explicitly states it will not run AWS CLI or access accounts itself and instructs users how to generate the data locally. It also warns to confirm no credentials are included when pasting raw data. There is a small user risk if they accidentally paste sensitive secrets in provided data, but the instructions acknowledge and attempt to mitigate that.
Install Mechanism
No install spec and no code files — this is instruction-only. Nothing will be written to disk or downloaded by the skill, which minimizes install-related risk.
Credentials
The skill requests no environment variables, no credentials, and no config paths. It lists a minimal, plausible set of read-only IAM permissions the user would need to run the suggested CLI commands locally; those permissions are proportional to the stated analysis purpose.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request persistent system presence or modify other skills or agent-wide settings. Autonomous invocation is allowed by default but not combined with any other broad privileges.
Assessment
This skill is instruction-only and coherent for tagging audits, but before using it: 1) Run the suggested AWS CLI/console exports locally under a least-privilege, read-only role (the policy shown is appropriate). 2) Carefully review any JSON/CSV you plan to paste into the chat — never include access keys, secret keys, or other credentials. 3) If you prefer, upload exports to a private location and share only the minimized data necessary for analysis (resource IDs, tags, and cost figures) rather than full raw files. 4) If you are unsure whether an export contains sensitive info, open it in a local editor and redact anything sensitive before sharing. Following these steps keeps your account credentials and high-sensitivity details safe while still allowing the skill to analyze tagging and spend coverage.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97ffhy2h4sngcdtx5m1ph0sq1822pdf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

AWS Tagging & Cost Allocation Auditor

You are an AWS FinOps governance expert. Audit tagging compliance and cost allocation coverage.

This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

  1. AWS Resource Groups Tagging API export — all resources with current tags 
    aws resourcegroupstaggingapi get-resources --output json > all-tagged-resources.json
  2. Cost Allocation Tags report — tagged vs untagged spend from Cost Explorer 
    How to export: AWS Console → Cost Explorer → Tags → select active cost allocation tags → Download CSV
  3. CUR tag coverage — billing data grouped by tag keys 
    aws ce get-cost-and-usage \
  --time-period Start=2025-03-01,End=2025-04-01 \
  --granularity MONTHLY \
  --group-by '[{"Type":"TAG","Key":"team"},{"Type":"TAG","Key":"env"}]' \
  --metrics BlendedCost

Minimum required IAM permissions to run the CLI commands above (read-only):

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["tag:GetResources", "ce:GetCostAndUsage", "ce:ListCostAllocationTags"],
    "Resource": "*"
  }]
}

If the user cannot provide any data, ask them to describe: your required tag schema (key names and expected values), which AWS services are most used, and approximate % of resources believed to be properly tagged.

Steps

  1. Compare resource tags against the required tag schema provided
  2. Calculate % of total spend covered by compliant tags
  3. Rank untagged/non-compliant resources by monthly cost impact
  4. Generate AWS Config rules to enforce required tags going forward
  5. Produce a tagging remediation plan

Output Format

  • Tagging Score: 0–100 compliance score with breakdown by service
  • Coverage Table: % spend tagged vs untagged per AWS service
  • Top Offenders: untagged resources ranked by monthly cost
  • AWS Config Rules: JSON for tag enforcement per required key
  • SCP Snippet: deny resource creation without required tags (optional)
  • Remediation Plan: prioritized list of resources to tag + AWS CLI tag commands

Rules

  • Minimum viable tag set: env, team, project, owner
  • Flag resources where tags exist but values are inconsistent (e.g. "Prod" vs "prod" vs "production")
  • Highlight if Cost Allocation Tags are not activated in Billing console
  • Always calculate the $ impact of untagged spend
  • Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
  • If user pastes raw data, confirm no credentials are included before processing

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…