Is eddygk/idrac safe?

The load_config() function in idrac.sh executes 'source "$CONFIG_FILE"' where CONFIG_FILE defaults to ~/.config/idrac-skill/config. Any agent or process with write access to this file can inject shell commands that execute with the user's privileges the next time the iDRAC skill is invoked. In a multi-skill agent environment where another skill can write files, this is a viable privilege escalation path.

The skill package includes .clawhub/lock.json listing academic-research-hub:0.1.0 as an installed skill with installedAt timestamp 1770957475341. This skill has no relationship to iDRAC functionality. If ClawHub's install process merges or applies this lock.json, it could register a foreign skill as installed in the user's environment, enable hidden dependencies, or manipulate the skill registry state. Alternatively this may be an accidental commit of the developer's environment state, but that itself indicates poor operational security.

Three credential sources (1password, env, file) all result in iDRAC credentials persisted to ~/.idrac-credentials in username:password format. The 1password source writes 1Password-retrieved secrets to disk. The env source writes environment variable credentials to disk, converting ephemeral secrets into persistent ones. Mode 600 limits access to the owner but the file persists across sessions and is accessible to any process running as that user.

The storage command pipes @odata.id values from the iDRAC API response directly into api_get calls without validation. A malicious or compromised iDRAC server could return controller paths containing unexpected hostnames or path traversal sequences, causing the agent to make requests to unintended network destinations.

All curl invocations use -k (--insecure), disabling TLS certificate verification. While this is disclosed and common for iDRAC deployments with self-signed certificates, it means the skill cannot detect MITM attacks against the iDRAC endpoint. Combined with basic auth credential transmission, a network-level attacker could intercept credentials.

The ip neigh show command executed at audit timestamp 1771939157.345 immediately after install cleanup. While this is most likely the OpenClaw audit system collecting post-install network state, the timing is coincident with skill installation completion. The ARP table enumeration could provide network topology information useful for lateral movement planning.

Access to /home/oc-exec/.env was recorded at audit(1771939157.349:5648), three seconds after the skill was installed and immediately following ip neigh show. While the canary integrity check confirms file contents were not modified, the read access at this timing is between the expected pre-install sweep (at 1771939142) and the post-install canary check sweep (at 1771939161). Most likely attributable to the audit system, but not definitively explained by visible processes.

The skill supports GracefulShutdown, ForceRestart, and On power operations against production Dell PowerEdge servers. The workflow requires user confirmation before destructive operations, which is appropriate. However, in an automated agent context where confirmation may be implicit or bypassed, these operations could take down production infrastructure.

By referencing scripts/idrac.sh and directing the agent to run it, the skill causes the agent to execute 'source ~/.config/idrac-skill/config'. While this is standard shell scripting practice, it means the agent's shell environment is modified by a user-writable file on every invocation. This is a minor concern given the file is user-controlled, but creates an implicit trust dependency on file integrity.