ClawHub

Ansible

Avoid common Ansible mistakes — YAML syntax traps, variable precedence, idempotence failures, and handler gotchas.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
3 · 1.2k · 7 current installs · 7 all-time installs
byIván@ivangdavila
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description promise (Ansible pitfalls and best practices) matches the content and requirements: the only declared runtime dependency is the 'ansible' binary, which is appropriate for this topic.
Instruction Scope
SKILL.md is a static list of guidance and examples (YAML/Ansible tips). It does not instruct the agent to read files, access environment variables, call external endpoints, or execute commands — no scope creep detected.
Install Mechanism
No install spec and no code files are present. Being instruction-only means nothing is written to disk or fetched at install time — lowest-risk installation profile.
Credentials
No environment variables, credentials, or config paths are requested. The lack of secrets or unrelated env requirements is proportionate to the stated purpose.
Persistence & Privilege
always:false (default) and normal model invocation allowed. The skill does not request persistent presence or elevated privileges beyond being user-invocable — appropriate for a reference/guide skill.
Assessment
This skill appears to be a safe, read-only Ansible best-practices reference. Before installing, confirm you actually want an agent-accessible reference (the agent could invoke it when answering Ansible questions). Ensure the system where the agent runs has a trusted 'ansible' binary if the skill will trigger command execution later; if you do not want the agent to run commands on your machine, keep model/tool invocation restrictions in place. If future versions add an install step, code, or requests for credentials (vault passwords, cloud keys, etc.), reassess — that would change this assessment.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97e89f5fy5jjyttd0k711g0td80x4tm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔧 Clawdis
OSLinux · macOS
Binsansible

SKILL.md

YAML Syntax Traps

  • Jinja2 in value needs quotes — "{{ variable }}" not {{ variable }}
  • : in string needs quotes — msg: "Note: this works" not msg: Note: this
  • Boolean strings: yes, no, true, false parsed as bool — quote if literal string
  • Indentation must be consistent — 2 spaces standard, tabs forbidden

Variable Precedence

  • Extra vars (-e) override everything — highest precedence
  • Host vars beat group vars — more specific wins
  • vars: in playbook beats inventory vars — order: inventory < playbook < extra vars
  • Undefined variable fails — use {{ var | default('fallback') }}

Idempotence

  • command/shell modules aren't idempotent — always "changed", use creates: or specific module
  • Use apt, yum, copy etc. — designed for idempotence
  • changed_when: false for commands that don't change state — like queries
  • creates:/removes: for command idempotence — skips if file exists/doesn't

Handlers

  • Handlers only run if task reports changed — not on "ok"
  • Handlers run once at end of play — not immediately after notify
  • Multiple notifies to same handler = one run — deduplicated
  • --force-handlers to run even on failure — or meta: flush_handlers

Become (Privilege Escalation)

  • become: yes to run as root — become_user: for specific user
  • become_method: sudo is default — use su or doas if needed
  • Password needed for sudo — --ask-become-pass or in ansible.cfg
  • Some modules need become at task level — even if playbook has become: yes

Conditionals

  • when: without Jinja2 braces — when: ansible_os_family == "Debian" not when: "{{ ... }}"
  • Multiple conditions use and/or — or list for implicit and
  • is defined, is not defined for optional vars — when: my_var is defined
  • Boolean variables: when: my_bool — don't compare == true

Loops

  • loop: is modern, with_items: is legacy — both work, loop preferred
  • loop_control.loop_var for nested loops — avoids variable collision
  • item is the loop variable — use loop_control.label for cleaner output
  • until: for retry loops — until: result.rc == 0 retries: 5 delay: 10

Facts

  • gather_facts: no speeds up play — but can't use ansible_* variables
  • Facts cached with fact_caching — persists across runs
  • Custom facts in /etc/ansible/facts.d/*.fact — JSON or INI, available as ansible_local

Common Mistakes

  • register: captures output even on failure — check result.rc or result.failed
  • ignore_errors: yes continues but doesn't change result — task still "failed" in register
  • delegate_to: localhost for local commands — but local_action is cleaner
  • Vault password for encrypted files — --ask-vault-pass or vault password file
  • --check (dry run) not supported by all modules — command, shell always skip

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…