Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
SONiC KVM Testbed
v1.2.0Deploy and manage a SONiC sonic-mgmt KVM virtual testbed with cEOS neighbors for running pytest-based network tests. Use when setting up a local KVM testbed,...
⭐ 2· 473·0 current·0 all-time
byYing Xie@yxieca
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL name/description (SONiC KVM testbed) aligns with the actions in SKILL.md: cloning sonic-mgmt, preparing sonic-vs and cEOS images, running testbed-cli.sh, setting up bridges, and running pytest. No unrelated cloud credentials or external services are requested.
Instruction Scope
Runtime instructions directly perform system-level operations: setup management bridge, modprobe/qemu-nbd mounting of images, docker imports/pulls, and run various ansible/testbed scripts. They also instruct creating users on DUTs, adding NOPASSWD sudoers entries, using sshpass with plaintext password files, and running `chmod 666 /var/run/docker.sock` — operations that expand scope to modifying host and DUT security posture and persistently weaken privileges.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is downloaded or executed by the skill package itself. This minimizes supply-chain/install risk, but the instructions will cause host changes when followed.
Credentials
The skill declares no required env vars or external credentials, which is appropriate, but the included references/scripts create and rely on many plaintext credentials and insecure defaults (passwords like 'password' and 'abc' in files, `group_vars/*` containing secrets, sshpass usage). It also recommends global privilege relaxations (NOPASSWD sudo entries, chmod 666 on docker socket) that are disproportionate unless run in an isolated test environment.
Persistence & Privilege
The skill is not force-included (always: false) and doesn't request platform-level persistence, but the documented steps create persistent artifacts (password.txt, modified ansible group_vars, changed sudoers entries, netplan file for br1) that alter system/DUT configuration across reboots. These persistent changes have real security implications and should be intentionally controlled.
What to consider before installing
This instruction-only skill appears coherent for building a SONiC KVM testbed, but it recommends several insecure or high-privilege actions. Before using it: 1) Run the whole procedure inside an isolated VM or disposable host to avoid weakening a production machine. 2) Replace example passwords ('password', 'abc') and the practice of storing them in plaintext with stronger passwords and secure vaulting. 3) Avoid chmod 666 on /var/run/docker.sock — prefer adding the service account to the docker group or use limited sudo rules. 4) Prefer narrowly-scoped sudoers entries instead of NOPASSWD ALL. 5) Avoid sshpass/plaintext password files where possible; use SSH keys or an encrypted vault. 6) Verify any images/tarballs (cEOS, sonic-vs) come from trusted sources and confirm the github repo/PR mentioned is authentic. 7) Review and restrict any fix scripts (fix-configs.sh) before running; they modify ansible group_vars and can overwrite secrets. If you cannot run in an isolated environment, treat this skill as risky and consider manual, hardened steps instead.Like a lobster shell, security has layers — review code before you run it.
latestvk9701kf1ng9zvx44kn74zwv70181vjzt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.