This skill informs the agent how to use Viam CLI
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a legitimate-looking Viam CLI guide, but it gives the agent broad power over robots, cloud data, deployments, and API keys with limited approval and scoping guidance.
Install only if you want the agent to help administer Viam resources. Before using it, set a rule that the agent must ask before every command that changes robots, datasets, cloud data, modules, API keys, databases, or pipelines, not just delete commands. Use a least-privileged Viam profile and avoid sharing API keys in chat.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used too freely, the agent could change or disrupt robots, move files to or from machines, deploy/restart modules, or modify cloud data beyond what the user intended.
The skill exposes broad, high-impact CLI operations: remote shell, remote file copy, module deployment/restart, and cloud data deletion. These are aligned with Viam administration, but the instructions only explicitly require confirmation for delete commands, leaving other high-impact operations insufficiently bounded.
`viam machines part shell --organization=<org> --location=<loc> --machine=<id>` ... `viam machines part cp` ... `viam module reload --part-id <machine-part-id>` ... `viam data delete tabular`
Require explicit user approval before every mutating Viam command, especially remote shell, file copy, module reload/upload, API key creation, database configuration, data tagging, dataset changes, and pipeline enable/disable.
A generated or mishandled Viam API key could grant programmatic access to robotics resources beyond the immediate task.
The skill documents both API-key authentication and creation of new machine-part API keys. Although it warns not to paste credentials into chat, it does not define approval, scoping, storage, rotation, or revocation controls for newly created credentials.
`viam login api-key --key-id <id> --key <secret>` ... `viam machines api-key create` - Generates a new machine part API key for programmatic access.
Use the least-privileged Viam account/profile, avoid handling secrets in chat, and require explicit user approval plus clear scope and revocation steps before creating any API key.
A mistaken module reload or deployment could interrupt a robot or cause operational problems on connected machines.
Deploying and restarting modules on a robotics machine can propagate a bad local change into a live remote system. The artifact does not describe staging, rollback, dry-run, or explicit confirmation requirements for this non-delete deployment action.
`viam module reload --part-id <machine-part-id>` - **(Hot Reloading)** Bundles local module code, deploys it to the target machine via WebRTC, registers it as a local module, and restarts it.
Use staging machines where possible, require explicit confirmation before deploy/restart commands, record the target machine part, and provide rollback instructions before proceeding.
Installing the CLI changes the local system and depends on the Homebrew tap source being trustworthy.
The skill instructs installing the Viam CLI from a Homebrew tap after user approval. This is disclosed and purpose-aligned, but users should recognize it adds external software to the local environment.
`brew tap viamrobotics/brews` ... `brew install viam`
Approve installation only if you trust the Viam Homebrew source, and verify the installed CLI version before using it with your account.