Vmware Monitor

v1.5.12

Use this skill for safe, risk-free queries of VMware infrastructure — code-level enforced safety means no destructive operations exist in the codebase. Direc...

⭐ 1· 909·0 current·0 all-time

by@zw008

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

Name/description (read-only VMware monitor) aligns with required items: a vmware-monitor CLI binary, a config file path, and per-target password env vars. Requiring VMWARE_MONITOR_CONFIG and per-target VMWARE_<TARGET>_PASSWORD envs is proportionate for a vSphere read-only tool. Minor oddity: SKILL.md lists an installer (uv package) even though registry metadata flagged this as an instruction-only skill (no install spec).

ℹ

Instruction Scope

Runtime instructions stick to read-only operations (list VMs/hosts/datastores, alarms, events, scanning). They instruct agents to use the vmware-monitor CLI and to create/read ~/.vmware-monitor/config.yaml and ~/.vmware-monitor/.env. This is within scope, but the skill also advises embedding the config path into MCP settings (which could expose config contents if not handled carefully). The claim that webhook payloads contain no credentials/IPs/PII and that background scanning is opt-in reduces concern, but those are assertions you cannot verify from the bundle alone.

Install Mechanism

Registry metadata says 'No install spec — instruction-only', but SKILL.md contains an installer block (kind: uv, package: vmware-monitor) and multiple install instructions (uv tool install, PyPI, GitHub, npx, clawhub). Because the bundle contains only documentation and no code, the actual runtime binary would be fetched from external sources (PyPI/GitHub) at install time — this requires trusting those external packages. The install sources listed (PyPI/GitHub) are common, but the mismatch between registry metadata and SKILL.md is an incoherence that should be resolved before trusting install behavior.

ℹ

Credentials

Requested env/config items map to the skill's function: VMWARE_MONITOR_CONFIG (path to config.yaml) and per-target VMWARE_<TARGET>_PASSWORD values in ~/.vmware-monitor/.env. Optional SLACK_WEBHOOK_URL / DISCORD_WEBHOOK_URL are reasonable for notifications. One minor issue: the metadata marks VMWARE_MONITOR_CONFIG as the 'primary credential' even though it points at a config file (not a secret) — this is confusing but not inherently dangerous. Storing per-target passwords in .env is expected, but be sure to use least-privileged accounts and secure the file (the docs recommend chmod 600).

✓

Persistence & Privilege

always:false and disable-model-invocation:false (default) — normal. The daemon/scanner is explicitly user-started; no automatic background services are declared. The skill does state an audit DB will be written to ~/.vmware/audit.db (via vmware-policy dependency) which is reasonable for monitoring but is a persistent artifact to be aware of.

What to consider before installing

This skill appears to be a read-only VMware monitoring wrapper, but the distributed bundle contains only docs — no code to inspect — and the SKILL.md claims an installer while registry metadata claims 'instruction-only'. Before installing or giving it credentials: 1) Review the vmware-monitor package on PyPI and the referenced GitHub repo (https://github.com/zw008/VMware-Monitor) and confirm the code is indeed read-only and matches the documentation. 2) Use least-privileged monitoring accounts in vCenter/ESXi, not admin/root credentials. 3) Store per-target passwords in the local .env with strict permissions (chmod 600) and avoid putting secrets into shared agent config files. 4) Only enable webhooks to endpoints you control and verify payload contents. 5) If you need stronger assurance, fetch and inspect the package source locally (or run it in an isolated environment) before granting network or credential access. The inconsistency about install metadata reduces confidence — resolve that before relying on the skill for production monitoring.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📊 Clawdis

OSmacOS · Linux

Binsvmware-monitor

EnvVMWARE_MONITOR_CONFIG

Config~/.vmware-monitor/config.yaml, ~/.vmware-monitor/.env

Primary envVMWARE_MONITOR_CONFIG

esxivk972sjh5a0ryq9jhz6m87pshch830yq1latestvk976cp8g1k131m0garqw1a4bxs8516wmmonitoringvk972sjh5a0ryq9jhz6m87pshch830yq1read-onlyvk972sjh5a0ryq9jhz6m87pshch830yq1safetyvk972sjh5a0ryq9jhz6m87pshch830yq1vcentervk972sjh5a0ryq9jhz6m87pshch830yq1vmwarevk972sjh5a0ryq9jhz6m87pshch830yq1

909downloads

1stars

41versions

Updated 23h ago

v1.5.12

MIT-0

macOS, Linux

VMware Monitor (Read-Only)

Disclaimer: This is a community-maintained open-source project and is not affiliated with, endorsed by, or sponsored by VMware, Inc. or Broadcom Inc. "VMware" and "vSphere" are trademarks of Broadcom. Source code is publicly auditable at github.com/zw008/VMware-Monitor under the MIT license.

Read-only VMware vCenter/ESXi monitoring — 8 MCP tools, zero destructive code.

Code-level safety: This skill contains NO power, create, delete, snapshot, or modify operations. Not disabled — they don't exist in the codebase. Companion skills: vmware-aiops (VM lifecycle), vmware-storage (iSCSI/vSAN), vmware-vks (Tanzu Kubernetes), vmware-nsx (NSX networking), vmware-nsx-security (DFW/firewall), vmware-aria (metrics/alerts/capacity), vmware-avi (AVI/ALB/AKO). | vmware-pilot (workflow orchestration) | vmware-policy (audit/policy)

What This Skill Does

Category	Capabilities
Inventory	List VMs, ESXi hosts, datastores, clusters
Health	Active alarms, recent events (filter by severity/time)
VM Details	CPU, memory, disks, NICs, snapshots, guest OS, IP
Scanning	Scheduled alarm/log scanning with Slack/Discord webhooks

Quick Install

uv tool install vmware-monitor
vmware-monitor doctor

When to Use This Skill

List or search VMs, hosts, datastores, clusters
Check active alarms or recent events
Get detailed info about a specific VM
Set up scheduled monitoring with webhook alerts
Any read-only VMware query where safety is paramount

Alarm/Event Output: `suggested_actions` Field

get_alarms and get_events results include a suggested_actions list. Each item is a ready-to-use hint pointing to the correct companion skill and tool:

{
  "alarm_name": "VM CPU Ready High",
  "entity_name": "prod-db-01",
  "suggested_actions": [
    "vmware-aiops: acknowledge_vcenter_alarm(entity_name='prod-db-01', alarm_name='VM CPU Ready High')",
    "vmware-aiops: reset_vcenter_alarm(entity_name='prod-db-01', alarm_name='VM CPU Ready High')"
  ]
}

AI agents (especially smaller local models) can read these hints directly to determine which skill and tool to call next, without needing to reason about skill routing themselves.

Use companion skills for:

Power on/off, deploy, clone, migrate --> vmware-aiops
iSCSI, vSAN, datastore management --> vmware-storage
Tanzu Kubernetes clusters --> vmware-vks
Load balancing, AVI/ALB, AKO, Ingress --> vmware-avi

Related Skills — Skill Routing

User Intent	Recommended Skill
Read-only vSphere monitoring, zero risk	vmware-monitor ← this skill
Storage: iSCSI, vSAN, datastores	vmware-storage
VM lifecycle, deployment, guest ops	vmware-aiops
Tanzu Kubernetes (vSphere 8.x+)	vmware-vks
NSX networking: segments, gateways, NAT	vmware-nsx
NSX security: DFW rules, security groups	vmware-nsx-security
Aria Ops: metrics, alerts, capacity planning	vmware-aria
Multi-step workflows with approval	vmware-pilot
Load balancer, AVI, ALB, AKO, Ingress	vmware-avi (`uv tool install vmware-avi`)
Audit log query	vmware-policy (`vmware-audit` CLI)

Common Workflows

Daily Health Check

Check alarms --> vmware-monitor health alarms --target prod-vcenter
Review recent events --> vmware-monitor health events --hours 24 --severity warning
List hosts --> vmware-monitor inventory hosts --> check connection state and memory usage
If connection fails --> run vmware-monitor doctor to diagnose config/network issues

Investigate a Specific VM

Find the VM --> vmware-monitor inventory vms --power-state poweredOff
Get details --> vmware-monitor vm info problem-vm
Check related events --> vmware-monitor health events --hours 48
If VM not found --> verify VM name with vmware-monitor inventory vms --limit 100 or check target with --target <other-vcenter>

Set Up Continuous Monitoring

Configure webhook in ~/.vmware-monitor/config.yaml
Start daemon --> vmware-monitor daemon start
Daemon scans every 15 min, sends alerts to Slack/Discord

Usage Mode

Scenario	Recommended	Why
Local/small models (Ollama, Qwen)	CLI	~2K tokens vs ~8K for MCP
Cloud models (Claude, GPT-4o)	Either	MCP gives structured JSON I/O
Automated pipelines	MCP	Type-safe parameters, structured output

MCP Tools (8 — all read-only)

Tool	Description
`list_virtual_machines`	List VMs with filtering (power state, sort, limit)
`list_esxi_hosts`	ESXi hosts with CPU, memory, version, uptime
`list_all_datastores`	Datastores with capacity, free space, type
`list_all_clusters`	Clusters with host count, DRS/HA status
`get_alarms`	All active/triggered alarms — includes `suggested_actions` remediation hints
`get_events`	Recent events filtered by severity and time — includes `suggested_actions` hints
`vm_info`	Detailed VM info (CPU, memory, disks, NICs, snapshots)

All tools are read-only. No tool can modify, create, or delete any resource.

CLI Quick Reference

vmware-monitor inventory vms [--target <t>] [--limit 20] [--power-state poweredOn]
vmware-monitor inventory hosts [--target <t>]
vmware-monitor inventory datastores [--target <t>]
vmware-monitor inventory clusters [--target <t>]
vmware-monitor health alarms [--target <t>]
vmware-monitor health events [--hours 24] [--severity warning]
vmware-monitor vm info <vm-name> [--target <t>]
vmware-monitor scan now [--target <t>]
vmware-monitor daemon start|stop|status
vmware-monitor doctor [--skip-auth]

Full CLI reference: see references/cli-reference.md

Troubleshooting

Alarms returns empty but vCenter shows alarms

The get_alarms tool queries triggered alarms at the root folder level. Some alarms are entity-specific — try checking events instead: get_events --hours 1 --severity info.

"Connection refused" error

Run vmware-monitor doctor to diagnose
Verify target hostname/IP and port (443) in config.yaml
For self-signed certs: set disableSslCertValidation: true

Events returns too many results

Use severity filter: --severity warning (default) filters out info-level events. Use --hours 4 to narrow time range.

VM info shows "guest_os: unknown"

VMware Tools not installed or not running in the guest. Install/start VMware Tools for guest OS detection, IP address, and guest family info.

Doctor passes but commands fail with timeout

vCenter may be under heavy load. Try targeting a specific ESXi host directly instead of vCenter, or increase connection timeout in config.yaml.

Setup

uv tool install vmware-monitor
mkdir -p ~/.vmware-monitor
vmware-monitor init
chmod 600 ~/.vmware-monitor/.env  # if using webhooks

All tools are automatically audited via vmware-policy. Audit logs: vmware-audit log --last 20

Full setup guide, security details, and AI platform compatibility: see references/setup-guide.md

Audit & Safety

All operations are automatically audited via vmware-policy (@vmware_tool decorator):

Every tool call logged to ~/.vmware/audit.db (SQLite, framework-agnostic)
Policy rules enforced via ~/.vmware/rules.yaml (deny rules, maintenance windows, risk levels)
Risk classification: each tool tagged as low/medium/high/critical
View recent operations: vmware-audit log --last 20
View denied operations: vmware-audit log --status denied

vmware-policy is automatically installed as a dependency — no manual setup needed.

License

MIT — github.com/zw008/VMware-Monitor

Comments

Loading comments...