ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

VCF LCM Pre-check Analyzer

v1.0.1

An MCP server that interfaces with VCF SDDC Manager to retrieve and analyze LCM upgrade pre-check results, providing instant remediation steps for failures.

0· 58·0 current·0 all-time
byRohit Kasture@kasture-rohit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill declares and uses SDDCMANAGER_HOST and SDDCMANAGER_API_TOKEN, calls the SDDC Manager /v1/upgrades/prechecks endpoint, and exposes a single MCP tool analyze_lcm_precheck — all align with the stated purpose.
Instruction Scope
SKILL.md instructs running a local MCP server and only that server reads the two declared env vars. The code disables TLS verification (verify=False and suppresses insecure warnings) to allow self-signed certs; this is plausible for VCF environments but increases MITM risk and should be acknowledged/mitigated.
Install Mechanism
Install is pip install -r requirements.txt for 'mcp' and 'requests' from PyPI — a standard, expected approach. There are no downloads from untrusted URLs or extracted archives.
Credentials
Only two env vars are required and both are directly relevant to connecting to SDDC Manager. No unrelated credentials, config paths, or unexpected secrets are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It runs as a local MCP server and can be invoked by the agent (normal for MCP skills); it does not modify other skills or agent-wide config.
Assessment
This skill appears coherent and limited to querying your SDDC Manager, but take these precautions before installing: (1) Run the MCP server on a trusted host with network access to your SDDC Manager. (2) Provide a token with least privilege necessary (avoid using a full administrator token) and rotate it regularly. (3) Be aware the code disables SSL verification for self-signed certs — if possible, use valid TLS or restrict network exposure to prevent MITM. (4) Review the short server.py yourself (it is included) to confirm it matches your security policies. (5) If you allow autonomous agent invocation, treat the skill like any other connector with access to your SDDC API and monitor its usage.

Like a lobster shell, security has layers — review code before you run it.

latestvk97amkr48jcm6d1bp6dq7vfxmd848h30lcmvk97adfq70tbn53ef2swet4618h8498k1mcpvk97adfq70tbn53ef2swet4618h8498k1precheckvk97adfq70tbn53ef2swet4618h8498k1pythonvk97adfq70tbn53ef2swet4618h8498k1sddc-managervk97adfq70tbn53ef2swet4618h8498k1upgradesvk97adfq70tbn53ef2swet4618h8498k1vcfvk97adfq70tbn53ef2swet4618h8498k1vmwarevk97adfq70tbn53ef2swet4618h8498k1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSDDCMANAGER_HOST, SDDCMANAGER_API_TOKEN

Comments