ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Spend Analyzer

v1.0.0

Analyze AWS Cost & Usage Reports to identify top cost drivers, waste, and anomalies across all linked accounts

0· 387·0 current·0 all-time
byAnmol Nagpal@anmolnagpal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, example AWS CLI commands, and the minimal IAM policy align with an AWS Cost & Usage Report (CUR) analysis workflow. Asking for exported CSV/JSON or Cost Explorer output is appropriate for the stated goal.
Instruction Scope
The SKILL.md explicitly states it will not execute AWS CLI commands and asks the user to provide exports or CLI output, which keeps the scope to data analysis. However the header lists 'tools: ... bash' while the doc says it won't run CLI commands—this is an inconsistency that could affect whether the agent might execute commands in some runtime environments. The instructions also rightly tell the agent to confirm there are no credentials in pasted data.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest-risk install footprint. Nothing is being downloaded or installed by the skill.
Credentials
The skill requests no environment variables, keys, or config paths. It asks users to supply exported billing data or CLI output (which reasonably includes account IDs and resource identifiers). No unexplained credential requests are present and a sample least-privilege IAM policy is provided for users who choose to run the commands themselves.
Persistence & Privilege
always:false and no install; the skill does not request permanent presence or elevated platform privileges. Autonomous invocation is allowed by default but not combined here with broad credential requests.
Assessment
This skill appears to do what it says: analyze exported AWS billing data. Before using it, consider the following: (1) The skill is from an unknown source with no homepage—only proceed if you trust the environment or author. (2) Do not paste AWS credentials, access keys, or secrets; follow the skill's instruction to confirm pasted data contains no credentials. Billing exports can still include sensitive metadata (account IDs, resource ARNs, tags); sanitize or redact anything you don't want shared. (3) The header lists a 'bash' tool while the instructions claim not to execute CLI commands—ask the skill owner or runtime whether the assistant will run commands on your behalf; prefer running aws CLI locally and then pasting sanitized output rather than granting remote execution. (4) If you need stronger assurance, request provenance (who authored/published the skill) or a checksum/signature for the SKILL.md. Providing those will raise confidence in the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk970rez8pwc9618b3tcegrs2g18237br

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments