ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Esxi Debian Deploy

Zero-touch Debian 13 VM deployment on VMware ESXi 8. Builds custom preseed ISO, creates NVMe+vmxnet3 VM with serial console, and runs unattended installation...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 505 · 0 current installs · 0 all-time installs
by@cepheiden
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The scripts and SKILL.md implement zero-touch Debian installs on ESXi (building a preseed ISO, uploading it, creating a VMX with NVMe/vmxnet3 and telnet serial, and resizing disks). Those capabilities match the name and description. However, the registry metadata claims no required environment variables while the SKILL.md and scripts clearly require ESXI_HOST, ESXI_PASS (and VM_PASS for resizing) — a packaging/metadata mismatch that should be corrected.
Instruction Scope
Runtime instructions and included scripts stay within the deployment domain: they download the official Debian ISO, build a preseeded ISO, upload it to the ESXi datastore, SSH into the ESXi host to create VM files, and SSH into deployed VMs for resize operations. No unexpected external endpoints or obfuscated network calls are present. Notable scope-relevant behaviors: the preseed enables root login and password authentication on the guest, the generated VM password is printed to stdout and embedded in the uploaded ISO, and serial consoles are configured over unencrypted telnet — all intentional for this use-case but sensitive and should be considered before running in production.
Install Mechanism
This is instruction-only with included scripts; there is no installer that downloads arbitrary code. The only remote download is the Debian ISO from an official debian cdimage URL. Required external tooling (govc, xorriso, isolinux, sshpass) are standard and explicitly documented. No high-risk arbitrary URL downloads or archive extraction from unknown hosts were observed.
Credentials
The environment variables used (ESXI_HOST, ESXI_PASS, ESXI_USER, ESXI_DATASTORE, NETWORK, DOMAIN, VM_PASS) are relevant to the stated purpose and the scripts actually use them. That said, the metadata did not declare these requirements which is inconsistent. The script requires the ESXi root password (sensitive) and uses sshpass/GOVC_PASSWORD via environment variables. The VM root password is generated and both printed to stdout and written into the preseed ISO that gets uploaded to your datastore — a significant sensitive-data exposure risk if left on the host or logs.
Persistence & Privilege
The skill does not request permanent platform-level privileges (always:false) and does not modify other skills or agent configuration. It performs privileged operations on the remote ESXi host and VMs (via SSH/govc), which is expected for VM provisioning but requires that you trust the scripts and limit credentials accordingly.
What to consider before installing
This skill largely does what it claims, but review and operationally harden before using: 1) Fix the packaging metadata: the registry incorrectly lists no required env vars while the scripts require ESXI_HOST and ESXI_PASS (and VM_PASS for resize). 2) Audit the scripts yourself (they will run commands as root on your ESXi host and VMs). 3) Prefer SSH key-based access instead of passing ESXi root password via sshpass where possible. 4) Be aware that the generated VM password is printed to stdout and embedded in the preseed ISO uploaded to your datastore — remove the ISO and clear logs after deployment; consider modifying the preseed to force password reset on first boot or use SSH keys for guests. 5) Serial console uses telnet (unencrypted) — restrict ESXi network access or disable the serial port after use. 6) Run first in an isolated/test ESXi environment to confirm behavior (including the truncated parts of the script you should inspect for full commands like vmkfstools usage). If you need to proceed in production, require minimal privileged credentials, keep them ephemeral, and manually verify the uploaded ISO and generated VM configuration before powering on VMs.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.3
Download zip
latestvk9767ezae40kp9d145f6fhvwnn8197fj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

ESXi Debian 13 Zero-Touch Deploy

Deploy fully configured Debian 13 VMs on ESXi 8 in ~8 minutes with zero manual interaction.

Required Environment Variables

VariableRequiredDescription
ESXI_HOSTYesESXi host IP address
ESXI_PASSYesESXi root password
ESXI_USERNoESXi user (default: root)
ESXI_DATASTORENoTarget datastore (default: datastore1)
NETWORKNoPort group name (default: VM Network)
DOMAINNoDomain for VMs (default: local)
VM_PASSYes (resize only)VM root password for disk resize script

⚠️ Note: The deploy script generates a random VM password and prints it to stdout. The password is also embedded in the preseed ISO uploaded to the ESXi datastore. Remove the ISO after deployment and treat stdout output as sensitive.

Requirements

  • ESXi 8.x host with SSH and datastore access
  • govc CLI (github.com/vmware/govmomi)
  • xorriso, isolinux — for custom ISO build
  • sshpass — for automated SSH/SCP
  • Tools on agent host: bash, python3, wget

Install on Debian/Ubuntu:

apt install xorriso isolinux sshpass
# govc: https://github.com/vmware/govmomi/releases

Usage

All credentials are passed via environment variables — nothing is hardcoded or embedded in process arguments.

export ESXI_HOST="192.168.1.100"
export ESXI_PASS="your-esxi-root-password"

bash scripts/esxi-deploy.sh [hostname] [cpu] [ram_mb] [disk_gb] [serial_port]
ParameterDefaultDescription
hostnamerandom animal nameVM name
cpu2vCPU count
ram_mb2048Memory in MB
disk_gb20Disk size in GB
serial_portrandom 8600-8699Telnet port for serial console

Example:

bash scripts/esxi-deploy.sh webserver 4 4096 50 8610

What It Does

  1. Generate preseed.cfg — German locale, DHCP, configurable user + root, random password
  2. Build custom ISO — Debian netinst + preseed, patched isolinux for auto-boot
  3. Upload ISO to ESXi datastore
  4. Create VM — NVMe disk (thin provisioned), dual NIC (E1000 for installer + vmxnet3 for production), serial port via telnet
  5. Boot + unattended install — preseed handles everything
  6. Post-install — Remove E1000, eject ISO, set boot to HDD
  7. Output credentials — SSH + serial console access details

Serial Console

Every VM gets a serial port accessible via telnet to the ESXi host:

telnet <ESXI_IP> <serial_port>

Works even when the VM has no network. Configured:

  • GRUB: GRUB_TERMINAL="console serial", serial 115200 8N1
  • Kernel: console=tty0 console=ttyS0,115200n8
  • Getty: serial-getty@ttyS0.service enabled

ESXi firewall requirement (activated automatically by the script):

esxcli network firewall ruleset set -e true -r remoteSerialPort

Important: Set serial port IP to the ESXi host IP, not 0.0.0.0:

serial0.fileName = "telnet://<ESXI_IP>:<port>"

Online Disk Resize

Grow a VM's disk without shutdown:

export ESXI_HOST="192.168.1.100"
export ESXI_PASS="your-esxi-password"
export VM_PASS="vm-root-password"

bash scripts/esxi-vm-resize-disk.sh <vm-name> <new-size-gb>

Requires cloud-guest-utils on the VM (pre-installed by the deploy script).

Configuration

All settings are configurable via environment variables:

export ESXI_HOST="192.168.1.100"    # ESXi host IP (required)
export ESXI_PASS="secret"           # ESXi root password (required)
export ESXI_USER="root"             # ESXi user (default: root)
export ESXI_DATASTORE="datastore1"  # Target datastore (default: datastore1)
export NETWORK="VM Network"         # Port group name (default: VM Network)
export DOMAIN="example.local"       # Domain for VMs (default: local)

No credential store or external resolver is required. Pass secrets via environment variables only — they are never embedded in process arguments or URLs.

VM Configuration Details

ComponentChoiceReason
Disk controllerNVMeFaster than SCSI/SATA for modern guests
Production NICvmxnet3Paravirtualized, best performance
Installer NICE1000Kernel driver built-in, no firmware needed
Boot modeBIOSSimpler for automated installs
ProvisioningThinSaves datastore space

Preseed Highlights

  • Locale: de_DE.UTF-8, keyboard de, timezone Europe/Berlin
  • Partitioning: automatic, single root + swap
  • Packages: open-vm-tools, curl, sudo, qemu-guest-agent, cloud-guest-utils
  • SSH: PermitRootLogin yes, PasswordAuthentication yes
  • Blacklisted modules: floppy, pcspkr (prevent I/O error loops in VMs)

Customize the preseed section in esxi-deploy.sh for different locales or packages.

Security Considerations

  • Credentials: All secrets are passed via environment variables, never embedded in URLs or process arguments. govc uses GOVC_USERNAME/GOVC_PASSWORD env vars.
  • SSH access: The script uses sshpass for automated SSH. For production, consider SSH key-based auth instead.
  • Serial console: Telnet is unencrypted. The serial port is bound to the ESXi host IP (not 0.0.0.0), but anyone with network access to the ESXi host can connect. Restrict access via:
    • ESXi firewall rules (limit remoteSerialPort to trusted IPs)
    • Network segmentation / VPN
    • Disable serial port after debugging
  • Generated passwords: VM passwords are output to stdout. Redirect output or use a credential store in production.
  • Lab use recommended: Test on a lab ESXi host before using in production. Review all scripts before running.

Gotchas

  • No heredoc in preseed late_command — Shell expansion in the deploy script's heredoc destroys nested heredocs. Use echo -e or single-line commands instead.
  • Serial console only works after install — The Debian installer uses VGA; serial output starts at first boot (GRUB + kernel).
  • ESXi firewall blocks serial by default — The remoteSerialPort ruleset must be enabled.
  • Don't resize MBR partitions live with extended/swap layout — Use growpart on the root partition or redeploy with larger disk.
  • E1000 removal requires shutdown — The script handles this automatically post-install.

References

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…