Proxmox
WarnAudited by ClawScan on May 18, 2026.
Overview
This is a disclosed Proxmox management connector, but it deserves review because it can change or delete VMs with an API token while its registry/OpenClaw metadata understates those privileges.
Install only if you intentionally want an agent to manage Proxmox. Start with a read-only, least-privilege API token, keep destructive operations and insecure TLS disabled unless specifically needed, pin the package version, and manually review any write or delete action.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-broad tool call could stop, reboot, create, clone, back up, or, if the destructive env flag is enabled, delete virtual machines or containers.
The skill exposes tools that can materially change or delete Proxmox infrastructure. The gates are disclosed, but Tier 2 writes depend on a tool argument the agent can supply, so users should not treat this as read-only or low-impact.
`proxmox_destroy_resource` | 3 destructive | Permanently delete an LXC or VM ... **Safe writes (8):** require `confirm: true`.
Use a read-only token unless writes are needed, require human review for all write actions, keep PROXMOX_ENABLE_DESTRUCTIVE unset by default, and audit Proxmox task logs.
Users may not realize from the registry/OpenClaw metadata that the plugin needs a Proxmox API token that could grant broad VM/container control.
The OpenClaw plugin declares no permissions or config fields even though the README and code require Proxmox API token environment variables. This under-declares account authority at install/review time.
"permissions": [], "configSchema": { "type": "object", "properties": {}, "additionalProperties": false }The publisher should declare required env vars and credential expectations. Users should create a least-privilege Proxmox API token and avoid using an admin token unless absolutely necessary.
A user may install it expecting only reads and safer lifecycle actions, without noticing that destructive operations are also present when explicitly enabled.
The registry description omits the destructive tool tier that is disclosed in the README, including permanent VM/container deletion and force-stop. This can cause users to underestimate the skill's impact.
Description: MCP server exposing Proxmox VE read + safe-write tools
Update the registry/package description to explicitly mention destructive tools and their gates; users should read the full README before installing.
If enabled on an untrusted network, a man-in-the-middle attacker could intercept or tamper with Proxmox API traffic.
The code can disable HTTPS certificate verification when PROXMOX_TLS_INSECURE is enabled. This is documented and off by default, but it affects protection of the Proxmox API token in transit.
if (cfg.tlsInsecure && cfg.url.startsWith("https://")) { this.dispatcher = new UndiciAgent({ connect: { rejectUnauthorized: false } }); }Leave PROXMOX_TLS_INSECURE=false except in isolated homelab setups, and prefer installing a trusted certificate on the Proxmox host.
The agent may have Proxmox access across sessions until the plugin is disabled or the environment variables/token are removed.
The plugin is configured to load automatically at startup. This is disclosed and normal for an MCP server, but it keeps the Proxmox tools available whenever the agent environment has credentials.
"activation": { "onStartup": true }Disable the plugin or remove its environment variables when Proxmox management is not actively needed.
A future package update could change behavior for users who repeatedly launch through an unpinned npx command.
Several setup paths run the npm package through npx without a version pin. This is common MCP installation plumbing, but infrastructure-control tools are safer when pinned and audited.
npx -y @solomonneas/proxmox-mcp
Pin the package version in agent configs or install a reviewed version explicitly.