Proxmox
v1.0.1Manage Proxmox VE clusters via REST API. Use when user asks to list, start, stop, restart VMs or LXC containers, check node status, create snapshots, view tasks, or manage Proxmox infrastructure. Requires API token or credentials configured.
⭐ 6· 3.4k·16 current·16 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, SKILL.md, and scripts all consistently implement Proxmox VE REST API operations (list/start/stop/snapshots/tasks etc.), so purpose and capability match. However the skill metadata declares no required environment variables or binaries while the instructions and script clearly require PROXMOX_HOST, PROXMOX_TOKEN_ID, PROXMOX_TOKEN_SECRET and command-line tools (curl, jq).
Instruction Scope
The SKILL.md and scripts stay within the stated Proxmox management scope: they load credentials from ~/.proxmox-credentials or env, then call only the Proxmox API endpoints. They do not attempt to read unrelated system files. Notes: instructions recommend using -k (skip SSL verification) which weakens TLS security, and the script will source a credentials file in the user's home directory (expected but should be highlighted).
Install Mechanism
No install spec (instruction-only with an included helper script). This reduces supply-chain risk. The script file is included in the package and would be written to disk if the skill is installed; that's expected for a helper script but means users should inspect the script before running.
Credentials
The script and SKILL.md require sensitive Proxmox credentials (PROXMOX_HOST, PROXMOX_TOKEN_ID, PROXMOX_TOKEN_SECRET), which are appropriate for the stated purpose — but the skill metadata does not declare these required env vars or a primary credential. The metadata also omits required binaries (curl, jq). This mismatch could lead to silent failures or unexpected behavior and is a packaging/permissions concern.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It can be invoked by the model (default), which is expected for a tool that manages infrastructure.
What to consider before installing
This skill's functionality matches its description (it talks to the Proxmox API), but the package metadata is incomplete. Before installing or running it:
- Inspect scripts/pve.sh yourself (already included) and verify you are comfortable running it.
- Provide credentials only as a Proxmox API token with minimal privileges (create a token scoped only to the operations you need). Do not use full root/password if unnecessary.
- The skill expects PROXMOX_HOST, PROXMOX_TOKEN_ID, and PROXMOX_TOKEN_SECRET, and the system needs curl and jq — but the registry metadata does not declare these. Ensure those env vars/binaries are present and documented where you manage skills.
- Avoid using -k/--insecure in production; instead configure TLS properly or use a token over a trusted connection.
- Consider running first in a restricted test environment and limit the API token privileges (least privilege). If you need the skill to be allowed to run autonomously, treat that as higher risk and audit token scopes and logs.
If the publisher can update the skill metadata to declare the required env vars and binaries, and remove or document the use of -k, the package will be much more coherent and easier to trust.Like a lobster shell, security has layers — review code before you run it.
latestvk971zdskst19f7mjg7ven82pq17zpra5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.