Is cepheiden/openbot-esxi safe?

https://github.com/openclaw/skills/tree/main/skills/cepheiden/openbot-esxi

87
SAFE

This is a legitimate ESXi VM deployment skill with clean code, no prompt injection, and no data exfiltration attempts. The scripts do exactly what they document: automate Debian 13 VM provisioning on ESXi 8 using standard tools (govc, sshpass, xorriso). The primary risks are operational — unencrypted telnet serial consoles, credentials printed to stdout, disabled SSH host key checking, and the inherent power of granting an agent infrastructure-level access.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (8)

MEDIUM Shell scripts execute remote commands on ESXi hosts via SSH -15

esxi-deploy.sh SSHs into the ESXi host to create VM directories, write VMX files, create virtual disks, register VMs, and modify firewall rules. esxi-vm-resize-disk.sh SSHs into the guest VM to grow partitions. This is the stated purpose but represents significant infrastructure access.

MEDIUM VM credentials printed to stdout and embedded in ISO -8

The randomly generated VM root password is printed to the console during deployment and is embedded in the preseed.cfg inside the ISO uploaded to the ESXi datastore. Anyone with datastore access could extract the password from the ISO.

LOW SSH StrictHostKeyChecking disabled -4

Both scripts use -o StrictHostKeyChecking=no for SSH connections to ESXi hosts and VMs, making them vulnerable to man-in-the-middle attacks on untrusted networks.

LOW ESXi firewall rule opened automatically -5

The deploy script automatically enables the remoteSerialPort firewall ruleset on ESXi, which opens telnet access to VM serial consoles. This is needed for the feature but widens the attack surface.

LOW Telnet serial console is unencrypted -8

Serial console access uses plain telnet, meaning all console I/O (including any typed passwords) traverses the network unencrypted. The script binds to the ESXi host IP rather than 0.0.0.0, but any host on the same network segment can connect.

LOW External ISO download from cdimage.debian.org -3

The script downloads a Debian netinst ISO from the official Debian CDN. This is a legitimate source, but the download is not verified with a checksum, so a network-level attacker could substitute a malicious ISO.

INFO No prompt injection detected -5

SKILL.md is clean technical documentation with no hidden instructions, override attempts, or obfuscated content. The skill does not attempt to manipulate agent behavior beyond its stated purpose.

INFO Infrastructure-level agent capability -20

This skill grants the agent the ability to create and manage VMs on ESXi infrastructure. While legitimate, users should be aware that an agent with this skill and configured credentials can provision compute resources, modify ESXi firewall rules, and access VM consoles.