Pve Builder

Proxmox VE VM builder with cloud-init automation, config-driven hardware defaults, validation, and static IP support

This skill appears internally consistent with its stated purpose, but review the following before installing: (1) It will create and store SSH private keys on your machine (default: ~/.ssh/pve-builder/) and set permissions; ensure the key directory is secure and not committed to version control. (2) It writes a validation cache (~/.pve-builder/validation.json) valid for 24 hours; clear it if your environment changes. (3) The agent will run local shell commands (ssh-keygen, mkdir, chmod) — those execute on your machine, not on Proxmox. (4) The skill asks you to paste output from commands you run on the Proxmox node; inspect that output for sensitive data before pasting. (5) The skill may perform web_fetch/web_search for software-spec lookups; expect network queries. (6) Always review the generated qm and qm set commands before copy/paste into your Proxmox node to ensure they match your environment. If any of these behaviors are unacceptable, do not install; otherwise limit the skill's file-write permissions to a dedicated directory and keep pve-env.md/private keys out of VCS.

Type: OpenClaw Skill Name: pve-builder Version: 1.0.11 The skill is classified as suspicious because SKILL.md instructs the agent to generate and execute local bash scripts (e.g., /tmp/preflight.sh) and shell commands (e.g., openssl for password generation) using the provided shell execution tools. While these actions are intended for VM parameter validation and setup, the practice of an AI agent generating and executing arbitrary code on the host machine is a high-risk pattern. The skill also handles sensitive assets like SSH keys and configuration files (pve-env.md) without explicit safeguards against accidental exposure during its web-search or command-generation phases.