Zabbix Connector
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: zabbix-connector Version: 1.0.4 The Zabbix connector skill is a standard implementation for monitoring and interacting with the Zabbix API. The core logic in `scripts/zabbix_api.py` uses Python's standard library to perform authenticated requests, implements proper SSL certificate verification to prevent MITM attacks, and includes clear security instructions in `SKILL.md` regarding credential management. No indicators of data exfiltration, malicious execution, or harmful prompt injection were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing the skill should understand that the agent may use their Zabbix API token to access monitoring data and perform allowed Zabbix actions.
The script uses a Zabbix API token from the local environment or .env file. This is expected for the integration, but it grants access according to the token's Zabbix permissions and is not declared in the registry credential metadata.
ZABBIX_URL = os.environ.get("ZABBIX_URL")
ZABBIX_TOKEN = os.environ.get("ZABBIX_TOKEN")Use a least-privilege Zabbix API token, store it only in the local .env file or environment, and avoid giving the token permissions beyond the intended monitoring and acknowledgement tasks.
The agent could acknowledge Zabbix events if asked or if it decides the skill is relevant, which may affect incident tracking or operational workflows.
The skill includes a state-changing Zabbix API action to acknowledge events. This is disclosed in SKILL.md and fits the stated purpose, but it can alter monitoring incident state.
def event_acknowledge(self, eventids, message, action=6):
params = {"eventids": eventids, "message": message, "action": action}
return self._call("event.acknowledge", params)Only allow acknowledgements after an explicit user request, and verify the event ID, host, and acknowledgement message before running the action.
Users may need to create the .env file manually and could misconfigure credential storage if they rely on a missing template.
The instructions reference a .env.template setup file, but the provided file manifest does not include that file. This is a setup/documentation gap, not evidence of malicious behavior.
To configure the skill, copy `.env.template` to `.env` and fill in the credentials.
Create a local .env file containing only ZABBIX_URL and ZABBIX_TOKEN, keep it out of version control, and verify the configured Zabbix URL uses HTTPS.