by 安全扫描
OpenClaw
安全
medium confidenceThe skill's requested files, env vars, and actions align with a local VMware storage management CLI: requirements and instructions are proportionate, but review installation source and a small doc inconsistency before installing.
评估建议
This skill appears coherent for managing VMware storage, but take these practical precautions before installing/using it:
- Install vmware-storage only from a trusted source (official GitHub repo or your vetted package registry) and verify the package contents and signature when possible.
- The tool reads ~/.vmware-storage/.env for per-target passwords — keep that file permission-restricted (chmod 600) and do not store long-lived high-privilege credentials if unnecessary.
- Confirm whether the o...详细分析 ▾
✓ 用途与能力
Name/description describe storage management and all required items (vmware-storage binary, VMWARE_STORAGE_CONFIG, ~/.vmware-storage/config.yaml and .env) are appropriate and expected for managing vSphere datastores, iSCSI, and vSAN.
ℹ 指令范围
SKILL.md confines actions to local CLI/MCP + vSphere API (reading config/.env, calling vSphere endpoints, writing local audit DB). Two small scope notes: (1) the docs explicitly say "No webhooks or outbound network calls — local-only", yet the config example and notify section include an optional webhook_url which implies outbound HTTP callbacks; (2) the doctor command performs network connectivity checks to configured targets (vCenter/ESXi), which is expected but is outbound network activity. These are not malicious but are worth confirming with the author.
✓ 安装机制
This is an instruction-only skill (no install spec or embedded code). The docs reference installing the vmware-storage CLI via uv/pip or from GitHub — standard distribution methods. There are no suspicious download URLs or hidden installers in the skill bundle.
✓ 凭证需求
Requested environment variables and config paths map directly to the stated functionality: VMWARE_STORAGE_CONFIG to locate config file and per-target VMWARE_<TARGET>_PASSWORD entries for credentials. The number/type of env vars is proportional to a multi-target vSphere tool. The skill requires access to local ~/.vmware-storage/.env which holds passwords (expected).
✓ 持久化与权限
The skill is not force-enabled (always:false) and does not request elevated platform privileges. It writes audit logs to ~ / .vmware/audit.db (local only) and suggests adding an MCP stdio entry to local client configs; these are normal for a local tool. Autonomous invocation by agents is allowed by default but not combined with other red flags.
安全有层次,运行前请审查代码。
运行时依赖
🖥️ OSmacOS · Linux
版本
latestv1.5.142026/3/22
v1.5.14: code review fixes by @yjs-2026 + Snyk E005 disclaimer
● 无害
安装命令
点击复制官方npx clawhub@latest install vmware-storage
镜像加速npx clawhub@latest install vmware-storage --registry https://cn.longxiaskill.com