Cloud Security Posture
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a legitimate cloud audit checklist, but one GCP prerequisite asks for much more power than a read-only review needs.
Use this only with narrowly scoped, read-only cloud credentials and a clearly defined target account/subscription/project list. In particular, do not grant GCP roles/storage.admin just to inspect bucket IAM; use a least-privilege viewer or custom role instead.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If those credentials are active in the agent environment, the session may have authority to change or delete GCP storage resources even though the audit only needs inspection.
The skill claims a read-only safety posture but asks for GCP Storage Admin, a broad role that can administer Cloud Storage rather than only inspect bucket IAM.
metadata: safety: read-only ... **[GCP]** gcloud CLI configured ... roles `roles/iam.securityReviewer`, `roles/cloudkms.viewer`, `roles/compute.viewer`, `roles/storage.admin` (for bucket IAM inspection)
Use least-privilege read-only roles or a custom GCP role limited to the specific bucket/project inspection permissions needed, and avoid granting roles/storage.admin for this skill.
Users may not realize from the registry summary that using the skill depends on local cloud CLIs, configured cloud accounts, and potentially an MCP dependency.
The skill itself declares external CLIs, cloud egress endpoints, and an MCP dependency, while the registry requirement summary says no required binaries or credentials.
"requires":{"bins":["aws","az","gcloud"],"env":[]},"mcpDependencies":["aws-network-mcp"],"egressEndpoints":["*.amazonaws.com:443","management.azure.com:443","*.googleapis.com:443"]Verify the AWS, Azure, and GCP CLIs and any MCP dependency before use, and treat the registry metadata as incomplete for setup and access planning.