Nomad
v1.0.0Query HashiCorp Nomad clusters. List jobs, nodes, allocations, evaluations, and services. Read-only operations for monitoring and troubleshooting.
⭐ 1· 1.9k·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the runtime instructions: the SKILL.md only shows read-only nomad CLI commands (jobs, nodes, allocs, evals, services, variables, logs). However the registry metadata lists no required env vars while the SKILL.md explicitly requires NOMAD_ADDR and optionally NOMAD_TOKEN, plus TLS cert/key paths — an inconsistency that should be resolved.
Instruction Scope
The SKILL.md instructs the agent to run nomad CLI commands that can return sensitive data (nomad var get, alloc logs). It also uses shell pipelines and tools not declared in metadata (examples use jq and grep, command substitution). The instructions do not overreach beyond Nomad, but they do allow reading secrets and logs if the environment or token permits.
Install Mechanism
There is no install spec and no code files — instruction-only. That minimizes disk-write risk. It does require the 'nomad' binary to be present, which is consistent with an instruction-only CLI wrapper.
Credentials
The SKILL.md lists several environment variables (NOMAD_ADDR, NOMAD_TOKEN, NOMAD_NAMESPACE, NOMAD_REGION, NOMAD_CACERT, NOMAD_CLIENT_CERT, NOMAD_CLIENT_KEY) yet registry metadata declares no required env vars or primary credential. Requesting NOMAD_TOKEN (or client cert/key paths) is reasonable for accessing a protected Nomad cluster, but these are sensitive credentials; the skill should declare them explicitly and justify each. Also the skill can access Nomad variables which may contain secrets.
Persistence & Privilege
The skill does not request permanent/always-on presence and defaults are normal (always: false, agent invocation allowed). It does not attempt to modify other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (read-only Nomad queries), but there are important mismatches and sensitive-data risks to consider before installing:
- Metadata mismatch: The SKILL.md requires NOMAD_ADDR and (optionally) NOMAD_TOKEN and TLS cert/key paths, but the registry metadata lists no required environment variables. Ask the publisher to update metadata to declare these requirements so you know what the skill will need.
- Sensitive access: If you provide NOMAD_TOKEN or client certs, the skill (when invoked) can read variables and allocation logs that may contain secrets or private data. Only supply a token with the minimal scope (read-only, least privilege) and consider using a token limited to specific namespaces/paths.
- Helper tools: Example commands use jq and grep and shell substitution; ensure the runtime environment has those tools and that command examples are safe for your use. The registry should list jq if it's required by common patterns.
- Deployment considerations: Run this skill only in a trusted context that can access the Nomad API (NOMAD_ADDR). If you don't want the agent to reach your cluster, do not set NOMAD_ADDR/NOMAD_TOKEN in environments where the agent can access external networks.
If you need higher assurance, request from the publisher an updated SKILL.md/registry metadata that explicitly lists required binaries and env vars, documents the exact minimal token scopes needed for safe operation, and clarifies whether any example commands (e.g., log retrieval) could expose secrets. If those issues are addressed, the skill is reasonable for monitoring use; until then, treat it with caution.Like a lobster shell, security has layers — review code before you run it.
latestvk976etjcsgc25h9e5hhbkfvf3s7zzqz4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📦 Clawdis
Binsnomad