lorax
AdvisoryAudited by VirusTotal on Mar 23, 2026.
Overview
Type: OpenClaw Skill Name: lorax Version: 1.0.1 The 'lorax' skill bundle is a legitimate set of instructions and examples for using the Lorax toolset to build system images (ISO, QCOW2, Cloud images). The content in SKILL.md consists of standard documentation, command-line examples for tools like lorax, livemedia-creator, and virt-builder, and template configurations (Kickstart/Lorax templates). No evidence of malicious intent, data exfiltration, or harmful prompt injection was found; the high-privilege operations described are consistent with the stated purpose of OS image creation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the sample installer configuration as-is could wipe disks on a target machine during installation.
The example writes a Kickstart file containing an automatic 'clear all partitions' directive; if used in an installer workflow, it can erase target disks without additional per-disk confirmation shown in the artifact.
cat > fedora-live.ks << 'EOF' ... clearpart --all --initlabel
Require explicit user confirmation for partitioning, document the destructive effect, and replace the example with a safer, clearly scoped disk layout.
A generated image could ship with a known root password, allowing unauthorized administrator access.
The sample sets the generated system root password to a predictable plaintext value; images built from it would have an obvious administrator credential unless changed.
rootpw --plaintext password
Use a locked root account or a hashed, user-supplied password, and clearly warn users not to use the sample password in real images.
Running these commands can install software, consume disk space, and write image files on the local machine.
The visible workflow asks the user or agent to install OS packages and run local image-building commands. This is central to the stated purpose, but it can change the host environment.
dnf install lorax lorax-templates-generic ... lorax ... livemedia-creator ... virt-builder
Run the skill only on an appropriate Fedora/RHEL build host or disposable VM, and review commands before granting elevated privileges.
Users may only discover missing or unsupported tools at runtime, and the agent may suggest manual setup steps on an unsuitable system.
The registry metadata does not declare the external Lorax-related tools that the SKILL instructions tell users to install and run, so automated dependency and OS suitability checks are not enforced.
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.
Declare required binaries and Fedora/RHEL/Linux OS expectations in metadata, or clearly gate setup commands behind user confirmation.