ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Proxmox Ops

v1.2.0

Ops-focused Proxmox VE management via REST API — monitor, control, provision, and troubleshoot VMs and LXC containers with battle-tested operational patterns...

0· 666·0 current·1 all-time
byEddy@eddygk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md and scripts clearly require PROXMOX_HOST, PROXMOX_TOKEN_ID, and PROXMOX_TOKEN_SECRET to talk to a Proxmox API; registry metadata lists no required env vars or primary credential. This mismatch is incoherent: a Proxmox management skill legitimately needs those credentials, but the registry entry does not declare them.
Instruction Scope
The instructions and scripts restrict actions to the user-configured Proxmox host and provide clear operation categories (read-only vs reversible vs destructive) and confirmation guidance. They instruct creating ~/.proxmox-credentials (mode 600) or using env vars. Two concerns: the examples include a weak example password ('changeme123') for provisioning, and the curl calls use -k (TLS verification disabled), which weakens transport security for self-signed servers.
Install Mechanism
No install spec — instruction-only skill with an included helper script. Required binaries (curl, jq) are declared and used. Low install risk because nothing is downloaded or installed automatically.
!
Credentials
The only runtime secrets needed are Proxmox API token and host, which are proportionate to the stated purpose. However, the registry metadata failing to declare these env vars/API token as required is a meaningful omission. Also, instructions recommend persisting the API token in ~/.proxmox-credentials (acceptable if user-managed and file perms are enforced) while curl -k reduces protection of that token in transit for self-signed servers; user should prefer properly-signed certs or securely handle verification.
Persistence & Privilege
always:false and no modifications to other skills/system settings. The skill suggests creating a user-owned credentials file (~/.proxmox-credentials) and reads it — this is expected behavior for convenience and not a privilege escalation.
What to consider before installing
This skill appears to do what it says (Proxmox REST operations) and includes a usable helper script, but review before installing: - The registry metadata does NOT list the three required environment variables (PROXMOX_HOST, PROXMOX_TOKEN_ID, PROXMOX_TOKEN_SECRET) even though SKILL.md and the script require them. Treat that as a red flag: verify credential requirements yourself before trusting any automation. - The helper uses curl -k (disables TLS verification) to accommodate self-signed certs. This weakens transport security; prefer adding the CA or using properly signed certs rather than leaving -k in place for production use. - The provisioning examples include an obvious example password (changeme123). Never use example passwords; ensure provisioning uses secure secrets management and least-privilege API tokens. - The skill expects you to store an API token in ~/.proxmox-credentials (mode 600). That is reasonable, but confirm you create the file yourself and review its contents. Alternatively use ephemeral environment variables in CI/agents. - Because this is instruction-only with an included script, inspect scripts/pve.sh locally and consider running it in a controlled environment first. Verify the GitHub homepage, commit history, and author before integrating into automation. If you intend to deploy this in production automation, require an API token with minimized permissions, replace -k, remove example plaintext passwords, and confirm the registry metadata is corrected to declare required credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97641zf2cc37t7phzq5dvcq4h830xyj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖥️ Clawdis
OSmacOS · Linux
Binscurl, jq

Comments