← 返回 Skills 市场
475
总下载
0
收藏
0
当前安装
27
版本数
在 OpenClaw 中安装
/install vmware-storage
功能描述
Use this skill whenever the user needs to manage VMware storage — datastores, iSCSI targets, and vSAN clusters. Directly handles: browse datastores, scan for...
安全使用建议
This package mostly looks like a legitimate VMware storage CLI, but there are several inconsistencies you should resolve before installing or running it on production systems: 1) Confirm the correct install method (SKILL.md lists a 'uv' installer and pip/source options, but registry metadata claims no install spec). Prefer installing from a trusted source (official GitHub repo or your corporate package mirror) and review the actual package before installation. 2) Verify where audit logs are written (SKILL.md mentions ~/.vmware/audit.db but other paths use ~/.vmware-storage) and ensure the audit DB location is acceptable and backed up if needed. 3) Clarify the "local-only / no webhooks" claim — the tool documents an optional webhook_url and the doctor command makes outbound network checks and vSphere API calls; if you do not want outbound webhooks, ensure webhook_url is empty and network egress to untrusted endpoints is blocked. 4) Inspect the vmware-policy dependency and any shared config (~/.vmware/rules.yaml) to understand policy checks and ensure they won't unintentionally affect other tools. 5) Before granting it access, ensure your ~/.vmware-storage/.env file permissions are 600 and never store plaintext passwords elsewhere (SKILL.md recommends this). 6) If you need higher assurance, fetch the source from the referenced GitHub (https://github.com/zw008/VMware-Storage) and audit the package code and the vmware-policy dependency for unexpected behavior (web requests, uploads, or unexpected third-party hosts).
功能分析
Type: OpenClaw Skill
Name: vmware-storage
Version: 1.5.15
The vmware-storage skill is a legitimate tool for managing VMware datastores, iSCSI, and vSAN clusters via the vSphere API. It incorporates several security best practices, including local-only stdio transport, mandatory audit logging to a local SQLite database via the vmware-policy dependency, and a dedicated _sanitize() function to prevent prompt injection from malicious file names on datastores. No evidence of data exfiltration, obfuscation, or unauthorized execution was found across the documentation or tool definitions (SKILL.md, setup-guide.md).
能力评估
Purpose & Capability
Name, description, required binary (vmware-storage), required env var (VMWARE_STORAGE_CONFIG), and the described CLI tools align with a VMware storage management tool; required config files (~/.vmware-storage/config.yaml and ~/.vmware-storage/.env) are proportional to that purpose. Companion-skill separation (no VM lifecycle ops) is explicit and sensible.
Instruction Scope
SKILL.md contains conflicting/ambiguous claims about network behavior: it states "No webhooks or outbound network calls — local-only (stdio MCP + vSphere API)" yet the example config includes an optional webhook_url and the doctor command explicitly performs network connectivity checks and vSphere authentication (outbound). The README also instructs adding an MCP stdio server entry (normal) and documents reading .env for per-target passwords. These contradictions (local-only vs. outbound network calls and optional webhook) are unclear and should be clarified. The SKILL.md also references multiple filesystem locations (~/.vmware-storage vs ~/.vmware) for audit logs which is inconsistent.
Install Mechanism
Registry metadata states 'No install spec — instruction-only', but SKILL.md contains an installer block (installer: kind: uv package: vmware-storage) and a Quick Install recommending 'uv tool install vmware-storage' and pip/git install instructions. This mismatch between registry metadata and SKILL.md should be resolved. The recommended installers (uv, pip, git) are standard; no arbitrary/download-from-IP install URLs are present in the provided docs.
Credentials
Requested environment variables and config paths are appropriate for a vSphere tool: VMWARE_STORAGE_CONFIG to point at config.yaml and per-target password variables (VMWARE_<TARGET>_PASSWORD) stored via a local .env file. The number and type of env vars are proportional to the stated tasks. The SKILL.md enforces .env permissions (chmod 600) which is good practice.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The skill relies on vmware-policy for pre-execution policy checks and audit logging into a shared path (~/.vmware/audit.db or similar), which is reasonable for auditing but introduces a shared configuration surface (~/.vmware/rules.yaml and ~/.vmware/audit.db) across companion VMware skills. The docs show how to add an MCP stdio entry (normal), but the different directories used for audit vs. config (~/.vmware vs ~/.vmware-storage) are inconsistent and should be reconciled.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install vmware-storage - 安装完成后,直接呼叫该 Skill 的名称或使用
/vmware-storage触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.5.15
v1.5.15: single-command MCP entry point (vmware-storage mcp), verify_ssl default true. Legacy entry point kept for backward compat.
v1.5.14
v1.5.14: code review fixes by @yjs-2026 + Snyk E005 disclaimer
v1.5.12
Security & bug fixes from @yjs-2026 code review
v1.5.11
Align with VMware skill family v1.5.11
v1.5.10
Security: python-multipart 0.0.22→0.0.26 (DoS fix)
v1.5.8
Align with VMware skill family v1.5.8
v1.5.7
Align with VMware skill family v1.5.7
v1.5.6
Fix CRITICAL: mcp_server missing from wheel
v1.5.5
Align with VMware skill family v1.5.5
v1.5.4
Security: pytest 9.0.2→9.0.3 (CVE-2025-71176); Align family v1.5.4
v1.5.3
No changes detected in this release.
- Version bump only; no file or functionality changes.
- All features and documentation remain as in the previous version.
v1.5.2
## vmware-storage 1.5.2
- No user-facing changes; documentation, code, and configuration files remain unchanged.
- This release does not introduce any new features or fixes.
v1.5.1
vmware-storage 1.5.1
- Added a disclaimer clarifying that this is a community-maintained project not affiliated with VMware/Broadcom.
- Updated credential documentation: each target now requires a specific password environment variable in .env using the pattern VMWARE_<TARGET>_PASSWORD.
- Improved metadata and compatibility section to reflect per-target credential requirements and clarify local-only operation (no webhooks/outbound network).
- Minor copyedits and formatting improvements for clarity in SKILL.md.
v1.5.0
v1.5.0: Anthropic best practices, [READ]/[WRITE] prefixes, Broadcom attestation
v1.4.10
Anthropic best practices: [READ]/[WRITE] prefixes, failure branches, Broadcom author attestation
v1.4.9
Security routing fixes and vmware-policy clarity; NSX auth fix for special char passwords
v1.4.8
Security patch: bump cryptography 46.0.6→46.0.7 (CVE-2026-39892), urllib3→2.6.3, requests→2.33.0
v1.4.7
Fix: align openclaw metadata; add vmware-policy optional dep; standardize audit path to ~/.vmware/audit.db
v1.4.6
fix: remove suspicious content for clean scan
v1.4.5
Security: pygments ReDoS CVE fix; Infrastructure: uv.lock for all repos
元数据
常见问题
Vmware Storage 是什么?
Use this skill whenever the user needs to manage VMware storage — datastores, iSCSI targets, and vSAN clusters. Directly handles: browse datastores, scan for... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 475 次。
如何安装 Vmware Storage?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install vmware-storage」即可一键安装,无需额外配置。
Vmware Storage 是免费的吗?
是的,Vmware Storage 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Vmware Storage 支持哪些平台?
Vmware Storage 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(macos, linux)。
谁开发了 Vmware Storage?
由 zw008(@zw008)开发并维护,当前版本 v1.5.15。
推荐 Skills