ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vmware Nsx Security

v1.4.6

Use this skill whenever the user needs to manage VMware NSX security — distributed firewall (DFW) policies, security groups, microsegmentation, and IDS/IPS....

0· 129·0 current·0 all-time
by@zw008
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims NSX distributed firewall, groups, tags, traceflow, and IDPS operations and the SKILL.md instructs use of a 'vmware-nsx-security' CLI and a config file under ~/.vmware-nsx-security — this is coherent for the stated purpose. Minor note: SKILL metadata mentions an auto-installed companion 'vmware-policy' but the registry shows no install spec; that's a documentation/packaging mismatch rather than a direct functional mismatch.
!
Instruction Scope
The SKILL.md instructs the agent to run CLI commands that will perform read/write operations on NSX Managers (expected). However the docs also instruct managing sensitive items (passwords via .env / env vars), running a 'doctor' check that validates authentication, and configuring an MCP server that will be invoked by agents. The instructions are permissive about secrets (telling users to set password env vars) and grant the skill scope to read config and .env files — the runtime instructions access environment variables and filesystem paths containing credentials that are not fully declared in the registry metadata.
Install Mechanism
This is an instruction-only skill (no install spec in the registry), so nothing is written automatically by the registry scan. SKILL.md recommends installing a uv package (uv tool install vmware-nsx-security); because the registry provides no install artifact, you should verify the uv package source before installing. Instruction-only status lowers installer risk, but the user will still install a binary (vmware-nsx-security) from an external package manager.
!
Credentials
Registry metadata only lists VMWARE_NSX_SECURITY_CONFIG as a required env var / primary credential (which is a path to a YAML file, not a secret). The SKILL.md and references clearly require additional environment variables for target passwords (VMWARE_NSX_SECURITY_<TARGET>_PASSWORD) and may read a ~/.vmware-nsx-security/.env file. Those credential env vars are not declared in requires.env; primaryEnv is set to a config path rather than an authentication secret. This mismatch means the agent may read secrets not represented in the registry metadata — a proportionality and transparency concern.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. SKILL.md documents optional MCP server configuration (command vmware-nsx-security-mcp) which runs on-demand via stdio; this is normal for MCP-based CLI integrations and does not itself indicate elevated persistent privileges.
What to consider before installing
This skill appears to do what it says (NSX DFW, groups, tags, traceflow, IDPS), but there are several metadata vs. documentation mismatches you should resolve before installing: - Verify source and package integrity: SKILL.md recommends 'uv tool install vmware-nsx-security' but the registry has no install spec. Confirm the uv package origin (GitHub repo, checksums/signatures) before running it. - Confirm how credentials are supplied: the registry lists only VMWARE_NSX_SECURITY_CONFIG (a config path) as required, but the docs instruct use of environment variables like VMWARE_NSX_SECURITY_<TARGET>_PASSWORD and a ~/.vmware-nsx-security/.env file. Ask the maintainer (or inspect the package) to confirm which env vars the binary actually reads and whether any secrets are sent anywhere unexpected. - Audit/log path mismatch: the header mentions auditing to ~/.vmware/audit.db while the setup guide mentions ~/.vmware-nsx-security/audit.log. Check where audit logs are written and ensure they don't contain secrets and are appropriately permissioned. - Principle of least privilege: create/assign a dedicated NSX account with just the necessary DFW permissions (avoid global admin). Confirm the CLI honors password-only-in-env guidance and doesn't persist plaintext passwords into config files. - If you plan to enable MCP/autonomous invocation, be extra cautious: autonomous agents invoking this skill could make destructive changes. Keep always:false if you want to avoid forced inclusion, and restrict which agents/contexts may call the skill. If you can, obtain (or inspect) the actual vmware-nsx-security package/binary source and confirm the env var usage and network endpoints before installing. If you cannot verify those details, treat the inconsistent metadata as a potential risk and consider running the tool in a restricted environment or sandbox first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d36wjaefwm0zyad8eqkp36d84b2k2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔒 Clawdis
OSmacOS · Linux
Binsvmware-nsx-security
EnvVMWARE_NSX_SECURITY_CONFIG
Config~/.vmware-nsx-security/config.yaml
Primary envVMWARE_NSX_SECURITY_CONFIG

Comments