syself-autopilot-hetzner
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent SySelf/Hetzner cluster setup helper, but it needs powerful cloud and Kubernetes access and can change infrastructure.
Install only if you intend to manage SySelf Autopilot clusters on Hetzner. Before running any scripts, inspect the YAML, confirm the kubectl context/namespace, use least-privilege Hetzner credentials, and understand that the scripts can create persistent Kubernetes secrets and infrastructure resources.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the script in the wrong context or with unreviewed manifests could change the wrong cluster or provision unintended resources.
The script applies ClusterStack and workload Cluster manifests to the active Kubernetes context, which can create or modify real infrastructure.
kubectl apply -f "$STACK_MANIFEST" ... kubectl apply -f "$CLUSTER_MANIFEST"
Before running, inspect the manifests, confirm the current kubectl context and namespace, and require explicit user approval for cluster creation or modification.
Anyone with access to the resulting Kubernetes secrets may be able to use the Hetzner token, Robot account, or SSH key material.
The script requires Hetzner cloud/Robot credentials and writes them into Kubernetes secrets, which is expected for this integration but grants significant account authority.
: "${HCLOUD_TOKEN:?Must be set}"
: "${HETZNER_ROBOT_USER:?Must be set}"
: "${HETZNER_ROBOT_PASSWORD:?Must be set}"
...
kubectl create secret generic hetznerUse least-privilege credentials where possible, verify the target namespace/context, restrict Kubernetes secret access, and rotate credentials after setup or if exposure is suspected.
It is harder to independently verify the publisher, update history, or intended maintenance source before trusting it with infrastructure credentials.
The skill handles high-impact cloud/Kubernetes operations, but the supplied registry information does not provide a source repository or homepage for provenance review.
Source: unknown Homepage: none
Review the included scripts and templates before use, prefer installing from a trusted publisher/source, and avoid supplying production credentials unless provenance is acceptable.