ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ansible

v0.1.0

Infrastructure automation with Ansible. Use for server provisioning, configuration management, application deployment, and multi-host orchestration. Includes playbooks for OpenClaw VPS setup, security hardening, and common server configurations.

0· 2.4k·2 current·3 all-time
byrhbotond@botond-rackhost
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, required binaries (ansible, ansible-playbook), and the provided playbooks/roles align with an Ansible provisioning/configuration skill. Included roles cover common, security, nodejs, and openclaw tasks which match the description. One notable item: the sample inventory contains explicit public IPs and host entries (e.g., 217.13.104.99, 217.13.104.231) and references to specific private-key paths; these are plausible as examples but may be unexpected if you expected only generic templates.
Instruction Scope
SKILL.md instructs the agent to run ansible/ansible-playbook, use ansible-vault, and manage SSH keys — all normal for this skill. However, the instructions and provided inventory would cause the agent/operator to connect to and run commands on remote servers if executed as-is. The skill does not instruct reading unrelated local files, but it does reference local SSH keys (~/.ssh/...) and vault password files (~/.vault_pass), so sensitive local secrets will be used if present.
Install Mechanism
Install spec uses pip to install 'ansible', which is the standard distribution channel for Ansible. This is expected; note that pip installs may require elevated privileges or create packages in a virtualenv/ system Python and will pull in many dependencies (normal for Ansible). No download-from-arbitrary-URL or obscure installers are present.
Credentials
The skill declares no required environment variables or credentials, which is consistent. At runtime the playbooks expect SSH keys, ansible-vault files, and possibly vault passwords (via --ask-vault-pass or a vault password file). Those secrets are used for their intended purpose but are not declared in metadata — the user should supply them. There are no unrelated credentials requested.
Persistence & Privilege
The skill is not always:true and does not request unusual persistent platform privileges. It will create or modify configuration and services on remote target machines (systemd units, sudoers entries) as part of provisioning — that is normal and expected for this type of skill. The skill's own files (playbooks, ansible.cfg) are static and contained in its bundle.
Scan Findings in Context
[no-findings] expected: The regex-based scanner had nothing to analyze (instruction-only plus YAML/playbooks). Lack of findings is not evidence of safety; review playbooks and inventories manually (which was done here).
Assessment
This bundle appears to be a legitimate Ansible playbook collection, but take these precautions before running anything: - Inspect and sanitize inventory/hosts.yml. The skill includes concrete IP addresses and paths to private keys — replace with your own hosts or remove samples to avoid connecting to unknown servers. - Never run playbooks against hosts you don't control. Running these playbooks grants them root-level changes on target machines (user creation, sudoers files, systemd units, firewall rules). - Protect secrets: the playbooks expect vault files and local SSH private keys (~/.ssh, ~/.vault_pass). Ensure vault passwords and private keys are stored securely and not committed to source control. - Prefer dry-run first: run ansible-playbook --check --diff and --limit to a test host before production. Use ansible-playbook -vvvv for debugging. - pip install ansible may require elevated privileges or a virtual environment; consider installing in a venv to avoid system-wide package changes. - Confirm external actions: the playbooks add NodeSource apt repository and import its GPG key (network call), and install npm packages globally — verify those sources if you require stricter supply-chain controls. If you want a higher-confidence assessment, provide: (1) confirmation that the listed inventory IPs are intended, (2) whether you will run playbooks locally or only against private test hosts, and (3) whether you require the skill to include fewer default keys/examples.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsansible, ansible-playbook
latestvk97ewfdc3cc3hpqt17e37f0tp180bwas
2.4kdownloads
0stars
1versions
Updated 22h ago
v0.1.0
MIT-0
rhbotond@botond-rackhost
latest
Download

Ansible Skill

Infrastructure as Code automation for server provisioning, configuration management, and orchestration.

Quick Start

Prerequisites

# Install Ansible
pip install ansible

# Or on macOS
brew install ansible

# Verify
ansible --version

Run Your First Playbook

# Test connection
ansible all -i inventory/hosts.yml -m ping

# Run playbook
ansible-playbook -i inventory/hosts.yml playbooks/site.yml

# Dry run (check mode)
ansible-playbook -i inventory/hosts.yml playbooks/site.yml --check

# With specific tags
ansible-playbook -i inventory/hosts.yml playbooks/site.yml --tags "security,nodejs"

Directory Structure

skills/ansible/
├── SKILL.md              # This file
├── inventory/            # Host inventories
│   ├── hosts.yml         # Main inventory
│   └── group_vars/       # Group variables
├── playbooks/            # Runnable playbooks
│   ├── site.yml          # Master playbook
│   ├── openclaw-vps.yml  # OpenClaw VPS setup
│   └── security.yml      # Security hardening
├── roles/                # Reusable roles
│   ├── common/           # Base system setup
│   ├── security/         # Hardening (SSH, fail2ban, UFW)
│   ├── nodejs/           # Node.js installation
│   └── openclaw/         # OpenClaw installation
└── references/           # Documentation
    ├── best-practices.md
    ├── modules-cheatsheet.md
    └── troubleshooting.md

Core Concepts

Inventory

Define your hosts in inventory/hosts.yml:

all:
  children:
    vps:
      hosts:
        eva:
          ansible_host: 217.13.104.208
          ansible_user: root
          ansible_ssh_pass: "{{ vault_eva_password }}"
        plane:
          ansible_host: 217.13.104.99
          ansible_user: asdbot
          ansible_ssh_private_key_file: ~/.ssh/id_ed25519_plane
    
    openclaw:
      hosts:
        eva:

Playbooks

Entry points for automation:

# playbooks/site.yml - Master playbook
---
- name: Configure all servers
  hosts: all
  become: yes
  roles:
    - common
    - security

- name: Setup OpenClaw servers
  hosts: openclaw
  become: yes
  roles:
    - nodejs
    - openclaw

Roles

Reusable, modular configurations:

# roles/common/tasks/main.yml
---
- name: Update apt cache
  ansible.builtin.apt:
    update_cache: yes
    cache_valid_time: 3600
  when: ansible_os_family == "Debian"

- name: Install essential packages
  ansible.builtin.apt:
    name:
      - curl
      - wget
      - git
      - htop
      - vim
      - unzip
    state: present

Included Roles

1. common

Base system configuration:

  • System updates
  • Essential packages
  • Timezone configuration
  • User creation with SSH keys

2. security

Hardening following CIS benchmarks:

  • SSH hardening (key-only, no root)
  • fail2ban for brute-force protection
  • UFW firewall configuration
  • Automatic security updates

3. nodejs

Node.js installation via NodeSource:

  • Configurable version (default: 22.x LTS)
  • npm global packages
  • pm2 process manager (optional)

4. openclaw

Complete OpenClaw setup:

  • Node.js (via nodejs role)
  • OpenClaw npm installation
  • Systemd service
  • Configuration file setup

Usage Patterns

Pattern 1: New VPS Setup (OpenClaw)

# 1. Add host to inventory
cat >> inventory/hosts.yml << 'EOF'
        newserver:
          ansible_host: 1.2.3.4
          ansible_user: root
          ansible_ssh_pass: "initial_password"
          deploy_user: asdbot
          deploy_ssh_pubkey: "ssh-ed25519 AAAA... asdbot"
EOF

# 2. Run OpenClaw playbook
ansible-playbook -i inventory/hosts.yml playbooks/openclaw-vps.yml \
  --limit newserver \
  --ask-vault-pass

# 3. After initial setup, update inventory to use key auth
# ansible_user: asdbot
# ansible_ssh_private_key_file: ~/.ssh/id_ed25519

Pattern 2: Security Hardening Only

ansible-playbook -i inventory/hosts.yml playbooks/security.yml \
  --limit production \
  --tags "ssh,firewall"

Pattern 3: Rolling Updates

# Update one server at a time
ansible-playbook -i inventory/hosts.yml playbooks/update.yml \
  --serial 1

Pattern 4: Ad-hoc Commands

# Check disk space on all servers
ansible all -i inventory/hosts.yml -m shell -a "df -h"

# Restart service
ansible openclaw -i inventory/hosts.yml -m systemd -a "name=openclaw state=restarted"

# Copy file
ansible all -i inventory/hosts.yml -m copy -a "src=./file.txt dest=/tmp/"

Variables & Secrets

Group Variables

# inventory/group_vars/all.yml
---
timezone: Europe/Budapest
deploy_user: asdbot
ssh_port: 22

# Security
security_ssh_password_auth: false
security_ssh_permit_root: false
security_fail2ban_enabled: true
security_ufw_enabled: true
security_ufw_allowed_ports:
  - 22
  - 80
  - 443

# Node.js
nodejs_version: "22.x"

Vault for Secrets

# Create encrypted vars file
ansible-vault create inventory/group_vars/all/vault.yml

# Edit encrypted file
ansible-vault edit inventory/group_vars/all/vault.yml

# Run with vault
ansible-playbook site.yml --ask-vault-pass

# Or use vault password file
ansible-playbook site.yml --vault-password-file ~/.vault_pass

Vault file structure:

# inventory/group_vars/all/vault.yml
---
vault_eva_password: "y8UGHR1qH"
vault_deploy_ssh_key: |
  -----BEGIN OPENSSH PRIVATE KEY-----
  ...
  -----END OPENSSH PRIVATE KEY-----

Common Modules

ModulePurposeExample
aptPackage management (Debian)apt: name=nginx state=present
yumPackage management (RHEL)yum: name=nginx state=present
copyCopy filescopy: src=file dest=/path/
templateTemplate files (Jinja2)template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
fileFile/directory managementfile: path=/dir state=directory mode=0755
userUser managementuser: name=asdbot groups=sudo shell=/bin/bash
authorized_keySSH keysauthorized_key: user=asdbot key="{{ ssh_key }}"
systemdService managementsystemd: name=nginx state=started enabled=yes
ufwFirewall (Ubuntu)ufw: rule=allow port=22 proto=tcp
lineinfileEdit single linelineinfile: path=/etc/ssh/sshd_config regexp='^PermitRootLogin' line='PermitRootLogin no'
gitClone reposgit: repo=https://github.com/x/y.git dest=/opt/y
npmnpm packagesnpm: name=openclaw global=yes
commandRun commandcommand: /opt/script.sh
shellRun shell commandshell: cat /etc/passwd | grep root

Best Practices

1. Always Name Tasks

# Good
- name: Install nginx web server
  apt:
    name: nginx
    state: present

# Bad
- apt: name=nginx

2. Use FQCN (Fully Qualified Collection Names)

# Good
- ansible.builtin.apt:
    name: nginx

# Acceptable but less clear
- apt:
    name: nginx

3. Explicit State

# Good - explicit state
- ansible.builtin.apt:
    name: nginx
    state: present

# Bad - implicit state
- ansible.builtin.apt:
    name: nginx

4. Idempotency

Write tasks that can run multiple times safely:

# Good - idempotent
- name: Ensure config line exists
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^PasswordAuthentication'
    line: 'PasswordAuthentication no'

# Bad - not idempotent
- name: Add config line
  ansible.builtin.shell: echo "PasswordAuthentication no" >> /etc/ssh/sshd_config

5. Use Handlers for Restarts

# tasks/main.yml
- name: Update SSH config
  ansible.builtin.template:
    src: sshd_config.j2
    dest: /etc/ssh/sshd_config
  notify: Restart SSH

# handlers/main.yml
- name: Restart SSH
  ansible.builtin.systemd:
    name: sshd
    state: restarted

6. Tags for Selective Runs

- name: Security tasks
  ansible.builtin.include_tasks: security.yml
  tags: [security, hardening]

- name: App deployment
  ansible.builtin.include_tasks: deploy.yml
  tags: [deploy, app]

Troubleshooting

Connection Issues

# Test SSH connection manually
ssh -v user@host

# Debug Ansible connection
ansible host -i inventory -m ping -vvv

# Check inventory parsing
ansible-inventory -i inventory --list

Common Errors

"Permission denied"

  • Check SSH key permissions: chmod 600 ~/.ssh/id_*
  • Verify user has sudo access
  • Add become: yes to playbook

"Host key verification failed"

  • Add to ansible.cfg: host_key_checking = False
  • Or add host key: ssh-keyscan -H host >> ~/.ssh/known_hosts

"Module not found"

  • Use FQCN: ansible.builtin.apt instead of apt
  • Install collection: ansible-galaxy collection install community.general

Debugging Playbooks

# Verbose output
ansible-playbook site.yml -v    # Basic
ansible-playbook site.yml -vv   # More
ansible-playbook site.yml -vvv  # Maximum

# Step through tasks
ansible-playbook site.yml --step

# Start at specific task
ansible-playbook site.yml --start-at-task="Install nginx"

# Check mode (dry run)
ansible-playbook site.yml --check --diff

Integration with OpenClaw

From OpenClaw Agent

# Run playbook via exec tool
exec command="ansible-playbook -i skills/ansible/inventory/hosts.yml skills/ansible/playbooks/openclaw-vps.yml --limit eva"

# Ad-hoc command
exec command="ansible eva -i skills/ansible/inventory/hosts.yml -m shell -a 'systemctl status openclaw'"

Storing Credentials

Use OpenClaw's Vaultwarden integration:

# Get password from vault cache
PASSWORD=$(.secrets/get-secret.sh "VPS - Eva")

# Use in ansible (not recommended - use ansible-vault instead)
ansible-playbook site.yml -e "ansible_ssh_pass=$PASSWORD"

Better: Store in Ansible Vault and use --ask-vault-pass.

References

  • references/best-practices.md - Detailed best practices guide
  • references/modules-cheatsheet.md - Common modules quick reference
  • references/troubleshooting.md - Extended troubleshooting guide

External Resources

Comments

Loading comments...