VMware ESXI-standalone automation skill
PassAudited by ClawScan on May 10, 2026.
Overview
This is a transparent post-install vmctl playbook, but it can use existing ESXi access to create, delete, purge, and recover test VM state.
Before installing or using this skill, verify the vmctl binary and config on the host, ensure the ESXi credentials are limited to test lifecycle work, and tell the agent to restrict actions to `vmctl-test-*` resources unless you explicitly approve broader recovery or cleanup.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on the wrong environment or with broad vmctl permissions, the agent could create or remove VMs or alter vmctl state.
The skill explicitly authorizes state-changing vmctl operations, including create/delete/purge/recover. These are purpose-aligned for a smoke test and cleanup, but they can affect real ESXi resources.
Minimum needed operations: `mode`, `preflight`, `doctor`, `list`, `create`, `status`, `delete`, `purge`, `recover`.
Use it only on the intended ESXi/Hermes host, keep VM names under `vmctl-test-*`, and require explicit confirmation before applying recovery or cleaning up anything not created by the current smoke test.
The agent may inherit enough ESXi authority to manage VMs through vmctl.
The skill relies on existing ESXi/helper credentials rather than asking for new ones. That is expected for vmctl automation, but it means the agent acts with whatever ESXi permissions are already available.
Required credential context: ESXi/helper credentials are already configured by installer.
Confirm the configured credentials are least-privileged and limited to the intended helper workflow and test VM lifecycle actions.
The safety of the actual vmctl binary depends on what the operator installed.
The skill depends on an external vmctl installation from a GitHub project. It does not silently install it, but the external tool's provenance and version are outside this skill artifact.
Installation source (performed by operator): - Repository: https://github.com/bashrusakh/vmctl ... If `vmctl` is missing, the agent must stop and ask operator to install from the repo/release link above.
Install vmctl only from a reviewed, pinned release or commit, and verify it before letting the agent run lifecycle operations.