iDRAC
v1.1.0Monitor and manage Dell PowerEdge servers via iDRAC Redfish API (iDRAC 8/9). Use when asked to: - Check server hardware status, health, or temperatures - Que...
⭐ 0· 697·1 current·1 all-time
byEddy@eddygk
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required binaries (curl, jq), the helper script, and the endpoints reference all align with a Redfish/iDRAC management skill. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
Runtime instructions are narrowly scoped to reading ~/.config/idrac-skill/config, hydrating credentials (file/env/1Password), and calling the configured IDRAC_IP over HTTPS. Caveats: the skill will connect to whatever IDRAC_IP the user places in config (so a misconfigured value could send credentials off-network), and the script deliberately disables TLS verification (-k) to accommodate self-signed iDRAC certs — this is noted in SKILL.md but is a security trade-off.
Install Mechanism
No install spec; the skill is instruction/script-only and won't download or install third-party packages. This is the lowest-risk model for install behavior.
Credentials
The skill does not require global secrets. It reads/writes a local credential cache (~/.idrac-credentials) and may read IDRAC_USER/IDRAC_PASS when configured for env mode. Optional 1Password integration uses the op CLI. Writing credentials to a local file is needed for curl -u usage but should be considered when sharing/backing up the home directory.
Persistence & Privilege
always is false and the skill is user-invocable. It writes only its own config and credential cache in the user's home (~/.config/idrac-skill/config and ~/.idrac-credentials) and does not modify other skills or system-wide settings.
Assessment
This skill appears to be what it claims, but consider these practical cautions before installing/using it:
- Ensure IDRAC_IP in ~/.config/idrac-skill/config is the intended internal iDRAC host(s); the script will send your credentials to whatever host is configured. Do not point it at unknown or internet-facing hosts.
- The helper caches credentials to ~/.idrac-credentials (mode 600). That mitigates but does not eliminate risk — avoid including that file in backups or shared repos. If you prefer no file cache, use CREDS_SOURCE=env and set IDRAC_USER/IDRAC_PASS in a controlled session.
- TLS verification is disabled (curl -k) because many iDRACs use self-signed certs. If you can supply valid certs or enable verification for your environment, that is more secure.
- Optional 1Password integration requires the op CLI; when used, the script extracts and writes creds to the same local cache file. Review that behavior if you rely on JIT secrets management.
- Verify curl and jq are from trusted system packages and inspect scripts locally before running. The skill is script-based and will only act on the configured host, but a misconfiguration can lead to credential exposure.
Overall, the skill is coherent with its stated purpose; follow the above operational precautions for secure use.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
🖥️ Clawdis
OSmacOS · Linux
Binscurl, jq
latest
iDRAC Skill
Monitor and manage Dell PowerEdge servers via iDRAC Redfish API.
First-Time Setup
Create a config file at ~/.config/idrac-skill/config:
mkdir -p ~/.config/idrac-skill
cat > ~/.config/idrac-skill/config <<'EOF'
# iDRAC connection settings
IDRAC_IP="<your-idrac-ip>"
# Credential source: "1password" | "file" | "env"
CREDS_SOURCE="file"
# For CREDS_SOURCE="1password":
# OP_ITEM="<1password-item-name>"
#
# For CREDS_SOURCE="file":
# Create ~/.idrac-credentials with contents: username:password
# chmod 600 ~/.idrac-credentials
#
# For CREDS_SOURCE="env":
# Export IDRAC_USER and IDRAC_PASS
EOF
Authentication
The helper script supports three credential sources:
| Source | Config | How It Works |
|---|---|---|
| 1password | OP_ITEM="item-name" | Pulls username:password via op CLI, caches to ~/.idrac-credentials |
| file | (default) | Reads ~/.idrac-credentials (format: user:pass, mode 600) |
| env | — | Uses $IDRAC_USER and $IDRAC_PASS environment variables |
Helper Script
Location: scripts/idrac.sh (relative to this skill directory)
idrac.sh test # Test connectivity and authentication
idrac.sh status # System summary (model, power, CPU, memory)
idrac.sh health # Health checks (temps, fans, power)
idrac.sh power # Current power state
idrac.sh inventory # Full hardware inventory
idrac.sh logs # Recent system event log entries (last 10)
idrac.sh thermal # Detailed temperature and fan status
idrac.sh storage # RAID/disk status
idrac.sh reset-types # Available power reset types
Workflow
- Load config from
~/.config/idrac-skill/config - Hydrate credentials (JIT pattern) if needed
- Determine operation type:
- Read-only (status, health, logs, inventory) → Execute directly
- Destructive (power off, restart, BIOS changes) → Confirm with user first
- Query Redfish API via curl + Basic Auth (or session token for batch ops)
- Parse JSON with jq
- Surface findings to user in natural language
- Never expose credentials in responses
Endpoint Reference
For raw Redfish API endpoints (system info, thermal, storage, network, logs, power ops, BIOS, firmware, session auth, Dell OEM attributes):
→ See references/endpoints.md
Security Notes
- Never log or display credentials — use
--silentand pipe to jq - Credential file must be mode 600 (
chmod 600 ~/.idrac-credentials) - TLS verification disabled (
-k) — iDRAC uses self-signed certs (acceptable for private networks) - Power operations are destructive — confirm with user before executing shutdown/restart
Compatibility
Works with Dell iDRAC 8 (Redfish 1.0–1.4) and iDRAC 9 (Redfish 1.6+). Covers PowerEdge 13th gen (R630/R730) through current gen. See endpoints reference for version-specific notes.
Note: iDRAC 8 API responses can take 5–10s per call. The test command makes 4 sequential calls (~30–40s total). Set exec timeouts accordingly. iDRAC 9 is significantly faster.
Comments
Loading comments...