Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Vmware Aria
v1.4.5Use this skill whenever the user needs VMware Aria Operations data — performance metrics, alerts, capacity planning, anomaly detection, and automated reports...
⭐ 0· 98·0 current·0 all-time
by@zw008
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, required binary (vmware-aria), required config (~/.vmware-aria/config.yaml) and primary env var (VMWARE_ARIA_CONFIG) align with a tool that queries VMware Aria/vROps APIs for metrics, alerts, capacity, anomalies and reports.
Instruction Scope
SKILL.md instructs only Aria-related actions (CLI calls, config, env vars). However there are contradictory statements about capabilities: some sections state 'create alert definition' is supported while the 'What vmware-aria Cannot Do' table says creating alert definitions/policies is not supported (UI required). The CLI/reference and API coverage mostly list read endpoints for alert definitions (GET) but not a definitive create POST. This discrepancy affects whether the agent is allowed to perform write operations (create/delete alert definitions).
Install Mechanism
This is instruction-only in the registry; SKILL.md shows standard install options (uv tool, pip, or from source on GitHub). No embedded installers or remote archive downloads in the skill bundle itself. The recommended installation methods are standard but you should verify the upstream package source before running pip or uv installs.
Credentials
Requested environment/config (VMWARE_ARIA_CONFIG, per-target VMWARE_ARIA_<TARGET>_PASSWORD vars, and ~/.vmware-aria/config.yaml) are appropriate for connecting to Aria Ops. No unrelated credentials or broad system paths are requested. The SKILL.md does reference storing passwords in a .env file and checks its permissions (600), which is consistent.
Persistence & Privilege
The skill does not request always: true and allows normal autonomous invocation. It declares a dependency on vmware-policy (auto-installed) and says operations are audited; however there is an inconsistency in audit log location: compatibility mentions ~/.vmware/audit.db while other docs reference ~/.vmware-aria/audit.log. Clarify which audit mechanism/path is used and what vmware-policy does when auto-installed.
What to consider before installing
This skill appears to be the right kind of tool for querying VMware Aria/vRealize Operations, and its required files and env vars are reasonable. However: 1) clarify the conflicting statements about whether the CLI can create alert definitions — some files claim create/delete is supported, others explicitly say those actions require the UI. That affects whether the skill will perform write operations. 2) confirm the audit location and what 'vmware-policy' auto-install does (compatibility lists ~/.vmware/audit.db vs docs that log to ~/.vmware-aria/audit.log). 3) only install the vmware-aria binary from a trusted source (official GitHub repo or vetted package repository); prefer reviewing the upstream repo (https://github.com/zw008/VMware-Aria) and package contents before pip/uv install. 4) follow the principle of least privilege for Aria credentials (ReadOnly role for monitoring; PowerUser only if you intend to acknowledge/cancel alerts). 5) verify config and .env file permissions (600) and verify network endpoints (Aria Ops on port 443) before enabling. If the author can clarify the create/CRUD capabilities and the audit path, confidence would increase.Like a lobster shell, security has layers — review code before you run it.
latestvk97cb80nzwevh0zcwwcrq2vt4n845v4j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
OSmacOS · Linux
Binsvmware-aria
EnvVMWARE_ARIA_CONFIG
Config~/.vmware-aria/config.yaml
Primary envVMWARE_ARIA_CONFIG