v1.0.3

Veeam MCP

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:23 AM.

Analysis

The skill appears purpose-built for Veeam monitoring, but it needs review because it uses Veeam administrator credentials with an externally obtained beta Docker MCP server.

GuidanceInstall only if you trust and can verify the external Veeam MCP Docker package. Use least-privilege Veeam credentials, protect the local credentials file, avoid printing passwords during troubleshooting, and treat the interactive MCP mode as an administrative interface rather than a simple read-only query tool.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityHighConfidenceHighStatusConcern

SKILL.md

The Veeam Intelligence MCP server is currently in beta. ... Once you have the MCP server package, build the Docker image: docker build -t veeam-intelligence-mcp-server .

The key runtime component is an external beta MCP server package obtained outside the skill, with no pinned version, checksum, source URL, or included Dockerfile in the reviewed artifacts.

User impactThe externally obtained Docker image is the component that receives Veeam credentials and talks to Veeam APIs, so its provenance matters significantly.

RecommendationOnly use an official, verified Veeam-provided MCP package; pin versions where possible; inspect the Dockerfile/source; and avoid injecting production admin credentials into an unverified image.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/start-mcp.sh

echo "Send JSON-RPC requests via stdin. Ctrl+D to exit." ... docker run -i --rm ... -e "ADMIN_PASSWORD=$PASSWORD" ... veeam-intelligence-mcp-server

The helper starts an unrestricted interactive MCP session using the same stored credentials, rather than limiting use to the specific question-answering wrapper.

User impactA user or agent using the interactive mode could issue any MCP request supported by the external server, which may be broader than the documented monitoring queries.

RecommendationPrefer the scoped query script for routine use, document the available MCP tools and their impact, and require explicit human approval for any non-read-only or administrative actions.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

README.md

Verify credentials: cat ~/.veeam-mcp-creds.json | jq . ... ✅ Credentials stored locally only ... ✅ No credentials in logs or command history

The troubleshooting command prints the full credentials file, including passwords, while the security section broadly claims credentials are not exposed.

User impactRunning the troubleshooting command can reveal passwords in the terminal or any terminal logging/screen-sharing environment.

RecommendationAvoid printing full credential files; redact passwords when troubleshooting, and treat the security claims as conditional rather than absolute.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/query-veeam.sh

PASSWORD=$(jq -r ".${PRODUCT}.password" "$CREDS_FILE") ... -e "ADMIN_USERNAME=$USERNAME" ... -e "ADMIN_PASSWORD=$PASSWORD" ... -e "ACCEPT_SELF_SIGNED_CERT=true"

The script reads locally stored Veeam credentials and passes the username and password into the Docker MCP server as environment variables; it also enables self-signed certificate acceptance by default.

User impactThe Docker MCP server receives credentials for backup infrastructure. If those credentials are overly privileged, mishandled, or sent to the wrong endpoint, the impact could include exposure or misuse of critical backup systems.

RecommendationUse a dedicated least-privilege/read-only Veeam account if possible, verify the server URL and certificate handling, protect the credentials file, and avoid using broad administrator credentials unless strictly required.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

User Question → OpenClaw Skill → Docker MCP Server → Veeam API ... Veeam Intelligence ... JSON Response

The documented data flow sends user questions and Veeam backup/infrastructure information through an MCP server and Veeam Intelligence.

User impactBackup job status, repository capacity, alerts, and infrastructure health data may be exposed to the MCP server and Veeam Intelligence as part of normal operation.

RecommendationConfirm the MCP server and Veeam Intelligence deployment are approved for the sensitivity of your backup and infrastructure data.