Cloud Sdk
Security checks across malware telemetry and agentic risk
Overview
This appears to be a simple local shell-based helper with disclosed local logging, though its Go Cloud/Go CDK branding and install wiring are somewhat inconsistent.
Review the scripts before relying on this as Go CDK tooling. It appears to be a basic local helper that records command history under `~/.local/share/cloud-sdk/` by default, so avoid putting sensitive values in command arguments.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may install it expecting a real Go CDK integration, but the provided implementation appears to be a lightweight generic command wrapper.
The stated Go CDK/open-cloud description does not fully match the later generic CLI workflow description or the placeholder shell scripts. This could cause users to overestimate the skill's relationship to or completeness as Go CDK tooling.
description: "The Go Cloud Development Kit (Go CDK): A library and tools for open cloud development in Go..." ... "Developer workflow automation tool for project lifecycle management."
Verify the source and behavior before relying on it for Go CDK development or cloud workflows.
The command may not be available unless you manually wire the script into your environment, and it may be unclear which script is intended.
The registry does not define an install mechanism even though executable shell scripts are present and the documentation refers to commands such as `cloud-sdk`. This is an installation/provenance clarity gap rather than evidence of unsafe code.
Install specifications: No install spec — this is an instruction-only skill. Code file presence: 2 code file(s): scripts/go_cloud.sh, scripts/script.sh
Check how the command is installed or invoked, and prefer reviewing the exact script before adding it to your PATH.
Command names and some arguments can remain on disk after use, which may matter if arguments include private project names or secrets.
The script creates a persistent local data directory and appends command history to `history.log`. SKILL.md also discloses this behavior, and no external transmission is shown.
DATA_DIR="${CLOUD_SDK_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/cloud-sdk}" ... _log() { echo "$(date '+%m-%d %H:%M') $1: $2" >> "$DATA_DIR/history.log"; }Do not pass secrets as command arguments, and periodically inspect or delete the local history file if needed.