VMware ESXI-standalone automation skill
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: vmctl-ops Version: 1.0.2 The vmctl-ops skill is a standard operational playbook for validating the installation of the vmctl virtualization management tool. It defines a clear lifecycle for health checks (preflight, doctor) and a smoke test (create, status, delete, purge) using test-specific naming conventions. The skill includes safety constraints, such as refusing to perform bootstrap installations and requiring manual operator intervention if prerequisites are missing, and uses a transparent Python snippet for local state file lookups in /opt/hermes-vmctl/state/deleted/.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on the wrong environment or with broad vmctl permissions, the agent could create or remove VMs or alter vmctl state.
The skill explicitly authorizes state-changing vmctl operations, including create/delete/purge/recover. These are purpose-aligned for a smoke test and cleanup, but they can affect real ESXi resources.
Minimum needed operations: `mode`, `preflight`, `doctor`, `list`, `create`, `status`, `delete`, `purge`, `recover`.
Use it only on the intended ESXi/Hermes host, keep VM names under `vmctl-test-*`, and require explicit confirmation before applying recovery or cleaning up anything not created by the current smoke test.
The agent may inherit enough ESXi authority to manage VMs through vmctl.
The skill relies on existing ESXi/helper credentials rather than asking for new ones. That is expected for vmctl automation, but it means the agent acts with whatever ESXi permissions are already available.
Required credential context: ESXi/helper credentials are already configured by installer.
Confirm the configured credentials are least-privileged and limited to the intended helper workflow and test VM lifecycle actions.
The safety of the actual vmctl binary depends on what the operator installed.
The skill depends on an external vmctl installation from a GitHub project. It does not silently install it, but the external tool's provenance and version are outside this skill artifact.
Installation source (performed by operator): - Repository: https://github.com/bashrusakh/vmctl ... If `vmctl` is missing, the agent must stop and ask operator to install from the repo/release link above.
Install vmctl only from a reviewed, pinned release or commit, and verify it before letting the agent run lifecycle operations.