iDRAC
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the credential file or password-manager item is exposed or misused, someone could access the iDRAC interface for the configured server.
The skill may retrieve iDRAC credentials from a password manager and store them locally; this is expected for iDRAC administration, but the credentials can grant server management access.
**1password** | `OP_ITEM="item-name"` | Pulls username:password via `op` CLI, caches to `~/.idrac-credentials` |
Use a least-privileged iDRAC account where possible, keep ~/.idrac-credentials mode 600, verify the intended 1Password item, and delete cached credentials when no longer needed.
A mistaken or poorly reviewed power action could shut down or restart a physical server.
The skill explicitly supports high-impact server management actions, but it also instructs the agent to obtain confirmation before destructive operations.
**Destructive** (power off, restart, BIOS changes) → Confirm with user first
Only approve power or BIOS-changing actions when you are sure of the target server and operational impact.
On an untrusted or compromised network, credentials or results could be exposed to a man-in-the-middle attack.
The skill intentionally disables certificate verification for iDRAC HTTPS calls; this is common for self-signed management controllers but weakens protection against spoofing on untrusted networks.
**TLS verification disabled** (`-k`) — iDRAC uses self-signed certs (acceptable for private networks)
Use this only on a trusted management network, or adapt the script to trust the iDRAC certificate instead of using `-k`.