iDRAC
ReviewAudited by ClawScan on May 1, 2026.
Overview
The artifacts look like a coherent iDRAC administration helper, but it handles server credentials and documents power-control operations that should be used only in a controlled admin context.
Before installing, confirm this will point only at the intended iDRAC management interface, use a dedicated low-privilege account if feasible, protect or remove the cached credential file, and require explicit human approval before any shutdown, restart, or BIOS-changing action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the credential file or password-manager item is exposed or misused, someone could access the iDRAC interface for the configured server.
The skill may retrieve iDRAC credentials from a password manager and store them locally; this is expected for iDRAC administration, but the credentials can grant server management access.
**1password** | `OP_ITEM="item-name"` | Pulls username:password via `op` CLI, caches to `~/.idrac-credentials` |
Use a least-privileged iDRAC account where possible, keep ~/.idrac-credentials mode 600, verify the intended 1Password item, and delete cached credentials when no longer needed.
A mistaken or poorly reviewed power action could shut down or restart a physical server.
The skill explicitly supports high-impact server management actions, but it also instructs the agent to obtain confirmation before destructive operations.
**Destructive** (power off, restart, BIOS changes) → Confirm with user first
Only approve power or BIOS-changing actions when you are sure of the target server and operational impact.
On an untrusted or compromised network, credentials or results could be exposed to a man-in-the-middle attack.
The skill intentionally disables certificate verification for iDRAC HTTPS calls; this is common for self-signed management controllers but weakens protection against spoofing on untrusted networks.
**TLS verification disabled** (`-k`) — iDRAC uses self-signed certs (acceptable for private networks)
Use this only on a trusted management network, or adapt the script to trust the iDRAC certificate instead of using `-k`.