lorax
ReviewAudited by ClawScan on May 10, 2026.
Overview
Visible instructions match a Lorax image-building skill, but the sample configuration includes a predictable root password and a disk-wiping installer directive, so it needs review before use.
Install only if you understand Lorax/Kickstart image building and will review generated configs before use. Do not use the sample root password, and be especially careful with partitioning directives like clearpart --all because they can erase disks during installation. The supplied SKILL.md excerpt was truncated, so this review is based on the visible artifacts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the sample installer configuration as-is could wipe disks on a target machine during installation.
The example writes a Kickstart file containing an automatic 'clear all partitions' directive; if used in an installer workflow, it can erase target disks without additional per-disk confirmation shown in the artifact.
cat > fedora-live.ks << 'EOF' ... clearpart --all --initlabel
Require explicit user confirmation for partitioning, document the destructive effect, and replace the example with a safer, clearly scoped disk layout.
A generated image could ship with a known root password, allowing unauthorized administrator access.
The sample sets the generated system root password to a predictable plaintext value; images built from it would have an obvious administrator credential unless changed.
rootpw --plaintext password
Use a locked root account or a hashed, user-supplied password, and clearly warn users not to use the sample password in real images.
Running these commands can install software, consume disk space, and write image files on the local machine.
The visible workflow asks the user or agent to install OS packages and run local image-building commands. This is central to the stated purpose, but it can change the host environment.
dnf install lorax lorax-templates-generic ... lorax ... livemedia-creator ... virt-builder
Run the skill only on an appropriate Fedora/RHEL build host or disposable VM, and review commands before granting elevated privileges.
Users may only discover missing or unsupported tools at runtime, and the agent may suggest manual setup steps on an unsuitable system.
The registry metadata does not declare the external Lorax-related tools that the SKILL instructions tell users to install and run, so automated dependency and OS suitability checks are not enforced.
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.
Declare required binaries and Fedora/RHEL/Linux OS expectations in metadata, or clearly gate setup commands behind user confirmation.