Proxmox VE
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: proxmox-ve Version: 0.1.1 The proxmox-ve skill bundle provides a legitimate set of tools and instructions for managing Proxmox Virtual Environment clusters. The SKILL.md and references/commands-and-auth.md files emphasize a 'safe workflow,' requiring the agent to verify state and seek user confirmation before performing any mutating or disruptive actions. The Python scripts (e.g., scripts/pve_api.py) are well-structured, use standard libraries for API interaction, and follow best practices by sourcing credentials from environment variables rather than hardcoding them.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken command could disrupt VMs or containers or change snapshot state.
These are legitimate Proxmox lifecycle and snapshot commands, but they can stop services, reboot guests, or revert/delete snapshots if used on the wrong target.
qm stop <vmid> qm reboot <vmid> qm reset <vmid> ... qm delsnapshot <vmid> <snapshot-name> qm rollback <vmid> <snapshot-name>
Confirm the node, guest type, VMID, and exact action before any mutation; prefer graceful operations and re-check status afterward.
The API token may grant infrastructure permissions, and unverified TLS can expose the token to network interception in unsafe environments.
The helper uses Proxmox API token credentials and disables TLS certificate verification by default unless --verify-ssl is used.
self.auth_header = f"PVEAPIToken={user}!{token_id}={token_secret}"
...
def build_client(verify_ssl: bool = False)Use a least-privilege Proxmox API token, do not paste secrets into chat, and prefer valid TLS with --verify-ssl when possible.
Automated install or review tools may not warn users that privileged Proxmox tools or API credentials are needed.
The registry metadata does not declare prerequisites that the skill documentation and scripts rely on, such as Proxmox CLIs and optional PVE_* API token variables.
Required binaries (all must exist): none Required env vars: none Primary credential: none
Before use, verify that you are on the intended Proxmox host or have the intended remote API credentials; publishers should declare these requirements in metadata.