Komodo
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill appears focused on Komodo infrastructure management, but it includes high-impact infrastructure actions and a concrete non-placeholder Komodo URL that could misdirect API credentials if copied.
Install only if you want this agent to manage your Komodo infrastructure. Before use, replace the shown KOMODO_ADDRESS with your own verified Komodo Core URL, use a least-privileged API key, and require explicit confirmation before deploy, stop, delete, build, or procedure actions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Komodo API key and secret could be sent to the wrong server, and actions could target infrastructure you did not intend.
The credential setup block presents a concrete non-placeholder Komodo URL. If a user or agent copies it, API credentials would be sent to that host rather than the user's intended Komodo server.
export KOMODO_ADDRESS="https://komodo.weird.cyou" export KOMODO_API_KEY="K-..." export KOMODO_API_SECRET="S-..."
Replace this with a placeholder such as https://komodo.example.com, verify the Komodo address before setting credentials, and never use the shown URL unless it is your own server.
An agent with these credentials could stop, restart, redeploy, delete stack resources, or run procedures in your Komodo environment.
The skill gives the agent high-impact mutation commands and also encourages direct raw API calls for additional operations, without visible approval, resource scoping, or safety checks.
python scripts/komodo.py stop <name> python scripts/komodo.py restart <name> python scripts/komodo.py delete-stack <name> python scripts/komodo.py run-procedure <name> For operations not covered by the CLI, use curl:
Require explicit user confirmation for execute/delete/procedure actions, limit actions to named resources, use least-privileged API keys, and prefer reviewed CLI paths over open-ended curl calls.
Anyone or any agent process with access to these environment variables can act through your Komodo API key.
The helper sends Komodo API credentials as headers on API calls. This is expected for a Komodo integration, but those credentials authorize sensitive infrastructure operations.
"X-Api-Key": KOMODO_API_KEY, "X-Api-Secret": KOMODO_API_SECRET,
Use a dedicated, revocable, least-privileged Komodo API key and avoid exposing these environment variables outside the intended agent session.
You have less assurance about who maintains the skill or where to audit updates and issues.
The skill has no declared source or homepage, which makes provenance harder to verify for a tool that can control infrastructure.
Source: unknown Homepage: none
Review the included code before use and prefer installing infrastructure-management skills from a known, trusted source.