Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
kubeasz-deploy
v1.0.0为 K8s 初学者提供 Kubernetes 集群部署指导,支持 AllinOne 快速体验和生产环境高可用部署。
⭐ 0· 57·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description and the included guides consistently describe using kubeasz to deploy Kubernetes; that purpose is coherent. However the skill metadata declares required binaries 'ansible' and 'ezctl' even though the guides repeatedly state kubeasz runs Ansible inside a Docker container and use 'docker exec -it kubeasz ezctl' or ./ezdown to obtain tooling. Requiring a local 'ansible' binary appears unnecessary; requiring 'ezctl' is borderline (ezctl is typically inside the kubeasz container or downloaded by the guide). This is a small mismatch worth noting but plausibly benign.
Instruction Scope
SKILL.md and the guides give explicit, deployment-scoped instructions (OS checks, docker/install commands, ssh-keygen/ssh-copy-id, wget from GitHub, docker exec ezctl commands, etc.). These steps legitimately require reading system files and running privileged commands on the deployment host and remote nodes. They do not request unrelated data, but they do instruct actions that access SSH keys, system configuration (/etc/*), and to run remote commands — which increases risk if executed without human review.
Install Mechanism
Instruction-only skill with no install spec and no downloaded third-party archives defined in the skill bundle. The guides instruct downloading ezdown from GitHub releases and using Docker; those are standard and expected for kubeasz.
Credentials
The skill declares no environment variables or secrets, which is proportionate. However the runtime steps explicitly instruct generating and copying SSH keys and running commands that use private files (e.g., ~/.ssh/id_rsa, /etc/kubeasz). Those are necessary for cluster deployment but are sensitive — the skill does not request external credentials, but it will operate on local secrets if invoked.
Persistence & Privilege
The skill does not request persistent privileges or set always:true. It is user-invocable and can be run by the agent, which is the platform default and expected for a deployment helper.
What to consider before installing
This skill appears to be a genuine kubeasz deployment guide, but review a few things before running it: 1) The metadata requires 'ansible' though the guide says Ansible runs inside a Docker container — you likely don't need a host Ansible binary. 2) The agent/instructions will generate and copy SSH keys and run commands that access ~/.ssh and /etc paths and run root-level install commands (including curl | bash examples). Only run these steps on machines you control and review each command before executing. 3) Downloads come from GitHub releases (standard) — verify release URLs and checksums if possible. 4) Prefer running initial experiments in an isolated VM or non-production environment, and back up any important data/keys. If you want, provide the agent with explicit instructions to never transmit private keys or other secrets externally and to show commands for manual copy-paste rather than executing automatically.Like a lobster shell, security has layers — review code before you run it.
latestvk97403rxryh4tvct7a8a0e0bdx84fh0z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🚀 Clawdis
Binsansible, ezctl