Cloud Infra Automation
WarnAudited by ClawScan on May 18, 2026.
Overview
The skill is not shown to be malicious, but it asks for powerful cloud-infrastructure actions through missing and under-declared tooling, including production create and destroy commands.
Review carefully before installing or using. Do not run the documented commands until you know what ./cloud.sh is, which cloud account and environment it targets, and whether there is a safe plan/approval step. Use a least-privilege cloud profile and avoid production or destroy operations unless you have verified the implementation and have backups or rollback procedures.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could create, change, or destroy production cloud infrastructure if these commands are followed without additional safeguards.
These instructions expose high-impact cloud mutation and destruction workflows for a production environment, but the artifact gives no approval, dry-run, plan-review, account-scope, or rollback requirements.
# Create infrastructure ./cloud.sh apply prod # Destroy ./cloud.sh destroy prod
Require explicit user approval for every mutating action, show a Terraform/CloudFormation plan before apply, require separate confirmation for destroy, and document exact account, project, subscription, region, and environment boundaries.
The skill may act with whatever broad cloud permissions are already configured on the machine, potentially affecting the wrong account, project, subscription, or environment.
Cloud CLIs typically use local authenticated profiles or credentials to act on cloud accounts. The registry declares no primary credential, required environment variables, or config paths, so the privilege boundary is not clear despite the skill's ability to manage infrastructure.
## Requirements - Terraform - Ansible - AWS/GCP/Azure CLI
Declare required credentials and config paths, require users to select the exact cloud profile/account/project/subscription, and recommend least-privilege roles limited to the intended environment.
A user or agent might run an unreviewed local script named cloud.sh, which could perform arbitrary infrastructure actions.
The package contains no cloud.sh script even though SKILL.md instructs running ./cloud.sh. That means the referenced automation is missing from the reviewed artifacts, and any script executed under that name would be outside the supplied package review.
2 file(s): SKILL.md (656 bytes) _meta.json (370 bytes)
Include the referenced script and templates in the package, pin and document dependencies, or remove the command until the implementation can be reviewed.