Vmware Policy
v1.5.0Unified audit logging, policy enforcement, and input sanitization for the entire VMware MCP skill family. Use when querying audit logs, managing policy rules...
⭐ 0· 108·0 current·0 all-time
by@zw008
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the requested runtime artifacts: it requires the vmware-audit CLI and a rules file (~/.vmware/rules.yaml) and documents an audit DB and Python API/ decorator. These requirements are appropriate for an audit/policy library that provides a CLI and a Python integration.
Instruction Scope
SKILL.md stays within the policy/audit domain (log queries, export, rules hot-reload, sanitize(), and a @vmware_tool decorator). It instructs the agent to import the Python package to copy a default rules file and to run the vmware-audit CLI. It also documents detection of several AI agent environment variables (e.g., CLAUDE_SESSION_ID, OPENAI_API_KEY, OLLAMA_HOST). The agent-detection behavior is plausible for auditing, but it means the skill will probe environment variables for presence (and possibly values) to classify the calling agent — review whether you want that in your environment.
Install Mechanism
The registry listing states this is instruction-only (no install spec), but the SKILL.md includes an 'installer: uv package: vmware-policy' snippet and recommends 'uv tool install vmware-policy' — this is consistent with a normal package install via the platform tooling. No remote downloads from untrusted URLs or archive extracts are present in the files provided.
Credentials
The skill does not request credentials or config beyond a local rules file and the vmware-audit binary. However, the audit/agent-detection code inspects multiple environment variables (CLAUDE_SESSION_ID, OPENAI_API_KEY, CODEX_SESSION, OLLAMA_HOST, DEERFLOW_SESSION, etc.) to infer the calling AI agent. That inference is plausible for auditing but could reveal the presence of platform API keys or agent signals in logs; review logging policy and ensure audit DB permissions and retention meet your requirements. Also note VMWARE_POLICY_DISABLED can be set to bypass policy checks (documented behavior).
Persistence & Privilege
The skill is not always-enabled and does not request special platform privileges. It writes local artifacts under ~/.vmware/ (audit DB, archived logs, rules.yaml) which is expected for an audit library. It does enforce decoration of tools at startup (asserts on missing @vmware_tool), which can cause dependent skills to fail if not integrated correctly, but this is coherent with its enforcement purpose.
Assessment
This skill appears to be what it claims: a local audit and policy library for a family of VMware skills. Before installing: 1) Verify the vmware-audit binary/package comes from a trusted source (the SKILL.md references a GitHub repo). 2) Ensure ~/.vmware/ has strict permissions (e.g., 700 for the directory, 600 for the DB) because audit data is stored locally. 3) Be aware that agent detection checks for various environment variables (some of which may contain API keys); confirm that only presence (not secret values) is logged and that your environment does not leak secrets into audit fields. 4) Note VMWARE_POLICY_DISABLED=1 bypasses checks (still logs as _bypassed) — treat that env var as privileged. 5) If you rely on auto-install behavior, reconcile the small inconsistency between the registry claiming 'no install spec' and the SKILL.md recommending 'uv tool install vmware-policy'.Like a lobster shell, security has layers — review code before you run it.
latestvk97csc49t0kjd4e8dxze8pgyc184q9yf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🛡️ Clawdis
OSmacOS · Linux
Binsvmware-audit
Config~/.vmware/rules.yaml