Proxmox Full
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: proxmox-full Version: 1.0.0 The skill is designed for 'Complete Proxmox VE management' and requires full administrative privileges on the Proxmox hypervisor, as indicated by the `SKILL.md` instructions to create an API token without 'Privilege Separation'. It uses `curl` to interact with the Proxmox API, enabling creation, modification, and deletion of VMs, containers, snapshots, and backups. While these actions align with the stated purpose, the inherent broad permissions and high-impact capabilities make this skill suspicious due to the significant risk if the agent or the skill's execution environment were compromised.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token belongs to a highly privileged Proxmox user, the agent could control large parts of the cluster, including starting, stopping, creating, cloning, or modifying workloads.
The setup explicitly tells users to disable Proxmox token privilege separation, which can make the token inherit the full permissions of the owning account instead of being narrowly scoped.
**Create API token:** Datacenter → Permissions → API Tokens → Add (uncheck Privilege Separation)
Use a dedicated Proxmox user or token with the minimum required roles, keep privilege separation enabled where possible, and restrict permissions to specific nodes, storage, pools, or VM IDs.
A mistaken or ambiguous request could stop production VMs or remove recovery points, causing outages or making rollback harder.
The skill documents direct high-impact API operations, including immediate VM stops and snapshot deletion, with no visible confirmation requirement, safety check, or scoped workflow.
# Stop (immediate)
curl -sk -X POST -H "$AUTH" "$PVE_URL/api2/json/nodes/{node}/qemu/{vmid}/status/stop"
...
# Delete snapshot
curl -sk -X DELETE -H "$AUTH" "$PVE_URL/api2/json/nodes/{node}/qemu/{vmid}/snapshot/{snapname}"Require explicit user confirmation before destructive or availability-impacting actions, verify node and VM IDs, and prefer safer workflows such as listing targets before mutating them.
On an untrusted network or with a spoofed endpoint, the privileged Proxmox token could be exposed to an attacker.
The examples send the Proxmox API token in an Authorization header while using curl's -k option, which disables TLS certificate verification.
AUTH="Authorization: PVEAPIToken=$PVE_TOKEN" ... curl -sk -H "$AUTH" "$PVE_URL/api2/json/cluster/status" | jq
Avoid -k when possible; configure trusted Proxmox certificates or a pinned CA, and only connect to verified PVE_URL endpoints.
If copied directly, a new container could be created with an easily guessed password.
The LXC creation example includes a weak sample root password and starts the container immediately.
-d "password=changeme123" \ -d "start=1"
Replace sample passwords with unique secrets, prefer SSH keys, and avoid automatically starting newly created containers until access controls are verified.