Vmware Storage

v1.5.12

Use this skill whenever the user needs to manage VMware storage — datastores, iSCSI targets, and vSAN clusters. Directly handles: browse datastores, scan for...

⭐ 0· 396·0 current·0 all-time

by@zw008

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description (datastores, iSCSI, vSAN) align with required binary (vmware-storage), config paths (~/.vmware-storage/config.yaml, .env), and per-target password env vars. Required artifacts are exactly what a storage management CLI would need.

✓

Instruction Scope

SKILL.md instructs only local operations: reading the config and .env, connecting to vCenter/ESXi via pyVmomi, browsing datastores, running iscsi/vsan operations, and performing local audit logging. It explicitly states stdio MCP transport and no outbound network calls beyond vSphere targets. The doctor command runs network/connectivity checks to configured targets — this is expected for the described purpose.

✓

Install Mechanism

This is an instruction-only skill (no install spec in the registry). SKILL.md documents standard install paths (uv tool, pip, from source) and no suspicious remote-download/extract steps are present in the package metadata. Install instructions are proportional to the project.

ℹ

Credentials

Requested environment/config items (VMWARE_STORAGE_CONFIG and per-target VMWARE_<TARGET>_PASSWORD variables stored/read via ~/.vmware-storage/.env) are appropriate for vSphere access. Minor inconsistency: registry metadata lists VMWARE_STORAGE_CONFIG as the 'primary credential' even though it is a config path (not a secret); per-target passwords are the actual secrets. Ensure you understand where secrets live (the .env file) and that file permissions are enforced (docs recommend chmod 600).

✓

Persistence & Privilege

Skill does not request always:true or any system-wide configuration changes to other skills. It writes local audit logs (~/.vmware/audit.db) and uses local config directories — these are reasonable for auditability and restore. Autonomous invocation (disable-model-invocation: false) is the platform default and not, by itself, a red flag here.

Scan Findings in Context

[no_code_files] expected: This is an instruction-only skill; the regex scanner had no code files to analyze. The security-relevant surface is the SKILL.md and referenced config paths, which were reviewed.

Assessment

This skill looks coherent for managing VMware storage. Before installing, verify the vmware-storage binary/package comes from the linked GitHub repo or your trusted package source; confirm the package release you install matches the repo. Store per-target passwords only in the .env file with restrictive permissions (chmod 600) and avoid committing secrets into config.yaml. Review the audit DB (~/.vmware/audit.db) location and ensure it is stored where you want audit records kept. Note the optional webhook_url in the example config — if you set a webhook, that enables outbound notifications. Finally, verify network access: the tool will reach your vCenter/ESXi hosts (port 443 by default) to perform checks and operations; run doctor to validate connectivity and authentication before running write operations. If you need higher assurance, inspect the upstream GitHub repository source and pip package content before use.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🗄️ Clawdis

OSmacOS · Linux

Binsvmware-storage

EnvVMWARE_STORAGE_CONFIG

Config~/.vmware-storage/config.yaml, ~/.vmware-storage/.env

Primary envVMWARE_STORAGE_CONFIG

latestvk9735k038p5wyjhtavqk9pvwdn851tfq

396downloads

0stars

25versions

Updated 2d ago

v1.5.12

MIT-0

macOS, Linux

VMware Storage

Disclaimer: This is a community-maintained open-source project and is not affiliated with, endorsed by, or sponsored by VMware, Inc. or Broadcom Inc. "VMware" and "vSphere" are trademarks of Broadcom. Source code is publicly auditable at github.com/zw008/VMware-Storage under the MIT license.

VMware vSphere storage management — 11 MCP tools for datastores, iSCSI, and vSAN.

Split from vmware-aiops for lighter context and local model compatibility. Companion skills: vmware-aiops (VM lifecycle), vmware-monitor (read-only monitoring), vmware-vks (Tanzu Kubernetes), vmware-nsx (NSX networking), vmware-nsx-security (DFW/firewall), vmware-aria (metrics/alerts/capacity), vmware-avi (AVI/ALB/AKO). | vmware-pilot (workflow orchestration) | vmware-policy (audit/policy)

What This Skill Does

Category	Tools	Count
Datastore	list all datastores, browse files, scan for OVA/ISO/OVF/VMDK images, list cached images	4
iSCSI	enable adapter, show status, add target, remove target, rescan HBAs	5
vSAN	cluster health summary, capacity overview (total/used/free)	2

Quick Install

uv tool install vmware-storage
vmware-storage doctor

When to Use This Skill

Browse datastore files or scan for deployable images (OVA/ISO/VMDK)
Configure iSCSI: enable adapter, add/remove send targets, rescan storage
Check vSAN cluster health and capacity
Any storage-focused VMware operation

Use companion skills for:

VM lifecycle, deployment, guest ops → vmware-aiops
Inventory, health, alarms, events → vmware-monitor
Tanzu Kubernetes → vmware-vks
Load balancing, AVI/ALB, AKO, Ingress → vmware-avi

Related Skills — Skill Routing

User Intent	Recommended Skill
Read-only monitoring, alarms, events	vmware-monitor
Storage: iSCSI, vSAN, datastores	vmware-storage ← this skill
VM lifecycle, deployment, guest ops	vmware-aiops
Tanzu Kubernetes (vSphere 8.x+)	vmware-vks
NSX networking: segments, gateways, NAT	vmware-nsx
NSX security: DFW rules, security groups	vmware-nsx-security
Aria Ops: metrics, alerts, capacity planning	vmware-aria
Multi-step workflows with approval	vmware-pilot
Load balancer, AVI, ALB, AKO, Ingress	vmware-avi (`uv tool install vmware-avi`)
Audit log query	vmware-policy (`vmware-audit` CLI)

Common Workflows

Set Up iSCSI Storage on a Host

Enable iSCSI adapter → vmware-storage iscsi enable esxi-01
Add target → vmware-storage iscsi add-target esxi-01 <iscsi-target-ip>
Verify → vmware-storage iscsi status esxi-01

The add-target command automatically rescans storage after adding the target. If you need an additional rescan later:

Rescan → vmware-storage iscsi rescan esxi-01

Dry-run first: Append --dry-run to any write command to preview without executing:

vmware-storage iscsi enable esxi-01 --dry-run
vmware-storage iscsi add-target esxi-01 &lt;iscsi-target-ip&gt; --dry-run

Find Deployable Images Across Datastores

List all datastores → vmware-storage datastore list
Scan a datastore for images → vmware-storage datastore scan-images datastore01
Browse with a pattern → vmware-storage datastore browse datastore01 --pattern "*.iso"
If datastore not found → verify name with vmware-storage datastore list --target <vcenter>. Datastore names are case-sensitive.

To filter cached results by type or datastore, use the list_cached_images MCP tool with image_type and datastore parameters.

vSAN Health Assessment

Check health → vmware-storage vsan health Cluster-Prod
Check capacity → vmware-storage vsan capacity Cluster-Prod
If issues found, investigate with vmware-monitor for alarms and events
If vSAN not enabled → this cluster may not use vSAN. Check cluster type with vmware-monitor inventory clusters

Multi-Target Operations

All commands accept --target <name> to operate against a specific vCenter or ESXi host from your config:

# Default target (first in config.yaml)
vmware-storage datastore list

# Specific target
vmware-storage datastore list --target prod-vcenter
vmware-storage iscsi status esxi-lab --target lab-esxi

Usage Mode

Scenario	Recommended	Why
Local/small models (Ollama, Qwen)	CLI	~2K tokens vs ~8K for MCP
Cloud models (Claude, GPT-4o)	Either	MCP gives structured JSON I/O
Automated pipelines	MCP	Type-safe parameters, structured output

MCP Tools (11 — 6 read, 5 write)

All MCP tools accept an optional target parameter to select which vCenter/ESXi to connect to.

Category	Tool	Type	Description
Datastore	`list_all_datastores`	Read	List datastores with capacity, usage %, VM count
	`browse_datastore`	Read	Browse files with optional path and glob pattern
	`scan_datastore_images`	Read	Find OVA/ISO/OVF/VMDK in a datastore
	`list_cached_images`	Read	Query local image registry with type/datastore filters
iSCSI	`storage_iscsi_status`	Read	Show adapter status, HBA device, IQN, send targets
	`storage_iscsi_enable`	Write	Enable software iSCSI adapter on a host
	`storage_iscsi_add_target`	Write	Add iSCSI send target (IP + port) and rescan
	`storage_iscsi_remove_target`	Write	Remove iSCSI send target and rescan
	`storage_rescan`	Write	Rescan all HBAs and VMFS volumes
vSAN	`vsan_health`	Read	Cluster health summary and disk group details
	`vsan_capacity`	Read	Total/used/free capacity in GB and usage %

Read/write split: 6 tools are read-only, 5 modify state. Write tools require explicit parameters (host name, IP address) and are audit-logged.

CLI Quick Reference

# Datastore
vmware-storage datastore list [--target <name>]
vmware-storage datastore browse <ds_name> [--path <subdir>] [--pattern "*.ova"]
vmware-storage datastore scan-images <ds_name> [--target <name>]

# iSCSI
vmware-storage iscsi enable <host> [--dry-run]
vmware-storage iscsi status <host>
vmware-storage iscsi add-target <host> <ip> [--port 3260] [--dry-run]
vmware-storage iscsi remove-target <host> <ip> [--port 3260] [--dry-run]
vmware-storage iscsi rescan <host> [--dry-run]

# vSAN
vmware-storage vsan health <cluster> [--target <name>]
vmware-storage vsan capacity <cluster> [--target <name>]

# Diagnostics
vmware-storage doctor [--skip-auth]

Full CLI reference with all options and output formats: see references/cli-reference.md

Troubleshooting

iSCSI enable fails with "already enabled"

Not an error. The software iSCSI adapter is already active on that host. The response includes the current HBA device name and IQN. Run iscsi status to see configured send targets.

"Datastore not found" when browsing

Datastore names are case-sensitive. Run vmware-storage datastore list to get the exact name. Common mistakes: Datastore1 vs datastore1, trailing spaces.

vSAN health shows "unknown" status

vSAN health checks require a vCenter connection (not standalone ESXi). The full VsanVcClusterHealthSystem runs via vCenter's vSAN Health Service. If connected to a standalone ESXi host, vSAN queries will fail or return limited info.

Rescan doesn't discover new LUNs

After adding iSCSI targets, the storage subsystem may need 10-30 seconds to enumerate new LUNs. Steps to resolve:

Verify the target IP is reachable from the ESXi host (vmkping from ESXi shell)
Check that the iSCSI target is correctly configured: vmware-storage iscsi status <host>
Wait 15-30 seconds, then rescan again: vmware-storage iscsi rescan <host>

"Password not found" error

The password environment variable is missing. Variable names follow the pattern VMWARE_<TARGET_NAME_UPPER>_PASSWORD where hyphens become underscores. Example: target my-vcenter needs VMWARE_MY_VCENTER_PASSWORD. Check your ~/.vmware-storage/.env file.

Doctor reports ".env permissions too open"

The .env file contains passwords and must have owner-only permissions:

chmod 600 ~/.vmware-storage/.env

Connection timeout to vCenter

The doctor command tests connectivity with a 5-second TCP timeout. If your vCenter is on a high-latency network, the check may fail even though the connection works. Use --skip-auth to bypass both connectivity and auth checks, then test manually.

Safety

No VM operations: This skill cannot power on/off, create, delete, or modify VMs — that scope belongs to vmware-aiops
Read-heavy: 6 of 11 tools are read-only (list, browse, scan, status, health, capacity)
Audit logging: All operations (including reads) are logged to ~/.vmware/audit.db (SQLite WAL, via vmware-policy) with timestamp, user, target, operation, parameters, and result
Double confirmation: CLI write commands (iSCSI enable, add/remove target) require two separate "Are you sure?" prompts before executing
Dry-run mode: All write commands support --dry-run to preview API calls without executing
Input validation: IP addresses validated via ipaddress.ip_address(), ports checked for 1-65535 range, host/cluster/datastore names looked up before operations
Prompt injection defense: Datastore file names and paths from vSphere are sanitized via _sanitize() — strips control characters (C0/C1), truncates to 500 chars — preventing malicious file names from injecting instructions into downstream LLM agents
Credential safety: Passwords loaded only from environment variables (.env file), never from config.yaml; .env permissions are checked at startup

Full security details: see references/setup-guide.md

Setup

uv tool install vmware-storage
mkdir -p ~/.vmware-storage
cp config.example.yaml ~/.vmware-storage/config.yaml
# Edit config.yaml with your vCenter/ESXi targets

# Add to ~/.vmware-storage/.env (create if missing, chmod 600):
# VMWARE_MY_VCENTER_PASSWORD=<your-password>
chmod 600 ~/.vmware-storage/.env

vmware-storage doctor

All tools are automatically audited via vmware-policy. Audit logs: vmware-audit log --last 20

Full setup guide with multi-target config, MCP server setup, and Docker: see references/setup-guide.md

Architecture

User (natural language)
  ↓
AI Agent (Claude Code / Goose / Cursor)
  ↓ reads SKILL.md
vmware-storage CLI or MCP server (stdio transport)
  ↓ pyVmomi (vSphere SOAP API)
vCenter Server / ESXi
  ↓
Datastores / iSCSI / vSAN

The MCP server uses stdio transport (local only, no network listener). Connections to vSphere use SSL/TLS on port 443.

Audit & Safety

All operations are automatically audited via vmware-policy (@vmware_tool decorator):

Every tool call logged to ~/.vmware/audit.db (SQLite, framework-agnostic)
Policy rules enforced via ~/.vmware/rules.yaml (deny rules, maintenance windows, risk levels)
Risk classification: each tool tagged as low/medium/high/critical
View recent operations: vmware-audit log --last 20
View denied operations: vmware-audit log --status denied

vmware-policy is automatically installed as a dependency — no manual setup needed.

License

MIT — github.com/zw008/VMware-Storage

Comments

Loading comments...