ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

VCF Regulatory Compliance

v1.0.1

An MCP server that interfaces with VMware Aria Operations to run regulatory compliance checks (ISO 27001, PCI DSS, CIS, etc.) against the VCF environment.

0· 59·0 current·0 all-time
byRohit Kasture@kasture-rohit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill declares ARIA_OPS_HOST and ARIA_OPS_API_TOKEN and the server.py uses exactly those environment variables to call Aria Operations suite-api endpoints for compliance alerts. Required inputs and the described capability (VCF/Aria compliance checks) are coherent.
Instruction Scope
SKILL.md only instructs installing dependencies and launching the included MCP server with the two Aria env vars. The runtime code only reads those env vars and queries the specified Aria host. Note: the code disables TLS verification (verify=False) and suppresses insecure-cert warnings to accommodate self-signed VCF certs — this is understandable for private infra but is a security consideration (MITM risk) and should be accepted only for trusted internal endpoints.
Install Mechanism
No automated install/download is present; this is instruction-only with a requirements.txt. The user must run pip install -r requirements.txt — no remote arbitrary archive downloads or obscure installers were included.
Credentials
Only ARIA_OPS_HOST and ARIA_OPS_API_TOKEN are required, which are appropriate and proportional for querying VMware Aria Operations. No unrelated secrets, system paths, or extra credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or system-wide configuration changes. It runs as a user-launched MCP server and does not alter other skills or agent-wide settings.
Assessment
This skill appears to do what it says, but review a few operational-security items before installing: 1) Only provide ARIA_OPS_API_TOKEN that has the minimum privileges needed for read-only compliance queries and rotate the token regularly. 2) Run the MCP server on a host with restricted network access and ensure ARIA_OPS_HOST points to your internal Aria Operations instance (do not point to unknown external hosts). 3) Note server.py disables TLS verification (verify=False) to allow self-signed certs — accept this only if you trust the network path; consider replacing with a CA-trusted cert or enabling verification. 4) Inspect the included server.py yourself (or with your security team) before supplying secrets. 5) If you plan to allow autonomous invocation, be aware the agent could call the tool automatically — restrict token scope and monitor usage/logging.

Like a lobster shell, security has layers — review code before you run it.

aria-operationsvk970f4c01cfj9efmram3ykz69s849ev1compliancevk970f4c01cfj9efmram3ykz69s849ev1isovk970f4c01cfj9efmram3ykz69s849ev1latestvk97ess5zt1w8y4kqsqg0n6qmt98490nrmcpvk970f4c01cfj9efmram3ykz69s849ev1pcivk970f4c01cfj9efmram3ykz69s849ev1securityvk970f4c01cfj9efmram3ykz69s849ev1vcfvk970f4c01cfj9efmram3ykz69s849ev1vmwarevk970f4c01cfj9efmram3ykz69s849ev1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvARIA_OPS_HOST, ARIA_OPS_API_TOKEN

Comments