Azure Cosmos DB Python
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run against the wrong Azure account or with the wrong settings, it could create persistent database resources or incur Cosmos DB throughput costs.
The helper script can create Cosmos DB databases/containers and optionally provision throughput, which is expected for this skill but can change cloud resources and costs.
database = client.create_database_if_not_exists(id=database_id)
...
container = database.create_container_if_not_exists(
**container_props,
offer_throughput=throughput
)Run the script only for the intended Azure endpoint, database, and container; review throughput, TTL, and indexing options before execution.
The skill may act with the permissions of your Azure account or Cosmos DB key, including the ability to create resources or read container metadata.
The script uses an account key or Azure DefaultAzureCredential to access Cosmos DB. This is normal for Azure integration, but it grants authority according to the user's Azure permissions.
key = os.environ.get("COSMOS_KEY")
if key:
return CosmosClient(url=endpoint, credential=key)
else:
credential = DefaultAzureCredential()
return CosmosClient(url=endpoint, credential=credential)Use least-privilege Cosmos DB/Azure roles, prefer scoped credentials over broad account keys, and verify `COSMOS_ENDPOINT` points to the intended account.
Installing unpinned packages can pull newer dependency versions than expected.
The skill asks users to install external Python packages without version pins. This is expected for an SDK guide, but package provenance and versions should be verified.
pip install azure-cosmos azure-identity
Install official Azure packages from a trusted package index and consider pinning versions in production environments.