ClawHub

cloudguard

v1.0.1

Cloud infrastructure & IaC security scanner -- detects insecure Terraform, open S3 buckets, permissive IAM, missing encryption, exposed ports, and cloud misc...

0· 42·0 current·0 all-time
by@suhteevah
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (IaC/cloud misconfiguration scanner) aligns with the provided files. Required binaries (git, bash, python3, jq) are reasonable for a shell-based scanner that reads JSON and decodes JWTs. The single primary credential (CLOUDGUARD_LICENSE_KEY) matches the documented Pro/Team licensing model.
Instruction Scope
Runtime instructions and scripts scan repository files (Terraform, CloudFormation, k8s, Dockerfiles and other text files) and respect .gitignore and common skip folders. This is appropriate for an IaC scanner, but the scanner will read any scanned file it deems IaC (including .env and script files), so it will process files that may contain secrets locally. The code does not contain obvious network/transmission steps (license validation is documented as offline).
Install Mechanism
Install spec uses a brew formula to install lefthook (git hooks manager) — a reasonable, low-risk dependency. The skill ships its own shell scripts which will be sourced/executed locally; there are no downloads from arbitrary URLs or extractor steps in the skill bundle.
Credentials
Only one required credential is declared (CLOUDGUARD_LICENSE_KEY) and the code explicitly reads that env var or a key in ~/.openclaw/openclaw.json. The license module will optionally consult CLAWHUB_JWT_SECRET to verify signatures if set — that env var is referenced but not declared in requires.env (it is optional and used only for local signature verification). No unrelated cloud credentials (AWS keys, etc.) are requested.
Persistence & Privilege
always:false and the skill does not request elevated system privileges. The 'hooks install' command will write/append a lefthook.yml into a git repo and run lefthook install — this is expected behavior for pre-commit integration and limited to the repository where the user runs the command.
Assessment
This skill appears to do what it claims: a local regex-based IaC scanner with an offline license. Before installing, consider: 1) review the included scripts (analyzer.sh, dispatcher.sh, patterns.sh, license.sh) yourself—they will be sourced/executed locally. 2) the scanner will read many file types (including .env and scripts) in the target path, so avoid scanning folders with sensitive runtime secrets you don't want processed even locally. 3) Pro/Team features require a license key stored either in CLOUDGUARD_LICENSE_KEY or ~/.openclaw/openclaw.json — treat that key like any other secret in your environment/CI. 4) Installing hooks will modify or create lefthook.yml in your repo and run lefthook install; inspect the file changes before committing. If you have low trust, run the tool in an isolated environment or container and inspect outputs first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c6sywrck6bzqrjqgrphqqed84v03y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

☁️ Clawdis
OSmacOS · Linux · Windows
Binsgit, bash, python3, jq
Primary envCLOUDGUARD_LICENSE_KEY

Install

Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook

Comments