overthinkos/qemu-guest-agent
distros/skills/qemu-guest-agent/SKILL.md
QEMU guest agent for host-guest communication in virtual machines. Use when working with QEMU/KVM VMs, guest agent setup, or libvirt channel configuration.
data-ai
Updated Jun 11, 2026
$ install --global
skillsauthnpx skillsauth add overthinkos/overthink-plugins qemu-guest-agentInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 11, 2026, 7:07 AM232.1s1 file scanned
SKILL.md
- name:
- qemu-guest-agent
- description:
- |
qemu-guest-agent -- QEMU guest agent
Candy Properties
| Property | Value |
|----------|-------|
| Install files | charly.yml |
Packages
qemu-guest-agent-- QEMU guest agent daemon. The package name is identical on Arch/CachyOS (pac) and Fedora (rpm), so the top-levelpackage:covers both — this is a cross-distro candy, not RPM-only.
Full functionality (all RPCs + fsfreeze)
The candy exposes the complete guest-agent surface — guest-exec,
guest-file-*, guest-fsfreeze-*, guest-set-*. The package default blocks no
RPCs; the candy's /etc/qemu/qemu-ga.conf makes that explicit and turns on the
fsfreeze hook (the one capability not active by default), so the host can take
application-consistent snapshots. The hook is a standard dispatcher
(/etc/qemu/fsfreeze-hook) that runs every executable in
/etc/qemu/fsfreeze-hook.d/ with freeze/thaw; drop per-app scripts there.
The candy also enables the qemu-guest-agent.service (system scope) and
contributes the virtio-serial channel (below). On a kind: vm entity the channel
is usually declared structurally instead — channels: [{type: unix, name: org.qemu.guest_agent.0}] (see /charly-internals:libvirt-renderer).
Usage
# charly.yml -- add to a bootc image's layer list
my-vm-image:
bootc: true
candy:
- qemu-guest-agent
# or applied to a VM guest at deploy time:
# charly deploy add vm:<name> qemu-guest-agent
Used In Boxes
Composed into bootc images directly, or applied to a VM guest at deploy time (charly deploy add vm:<name> qemu-guest-agent).
virtio-serial channel (libvirt XML contribution)
The candy contributes a raw libvirt XML snippet that the libvirt renderer places in the VM's <devices> section:
<channel type='unix'>
<target type='virtio' name='org.qemu.guest_agent.0'/>
</channel>
Emitted in charly.yml as:
libvirt:
snippets:
- "<channel type='unix'><target type='virtio' name='org.qemu.guest_agent.0'/></channel>"
This is the / classification case: isDeviceElement flags it as device-scoped, so the renderer injects it inside <devices> rather than before </domain>. See /charly-internals:libvirt-renderer for the injection pipeline and /charly-vm:vm for the QEMU-user-net caveat (the agent shows as enabled/inactive under charly's QEMU backend; libvirt backend activates it).
Related Candies
/charly-coder:sshd-- SSH server (commonly paired in bootc/VM images)
When to Use This Skill
Use when the user asks about:
- QEMU guest agent installation
- Host-guest communication in VMs
- Libvirt virtio channel configuration
- The
org.qemu.guest_agent.0channel
Related
/charly-image:layer— candy authoring reference (charly.ymlschema, task verbs, service declarations,libvirt.snippets:)/charly-vm:vm— VM lifecycle; bootc VM caveats; QEMU-user-net limitation/charly-vm:vms-catalog—kind: vmentity schema that consumes this candy's contribution/charly-internals:libvirt-renderer— renderer that injects this candy's snippet into<devices>/charly-eval:eval— declarative testing (eval:block,charly eval box,charly eval live)
Related Skills
overthinkos/charly
tools
VerifiedTrustedCommunity
OpenCharly CLI (charly) binary installed into container/VM images for in-container use. Use when working with charly binary deployment inside containers, native D-Bus support, or the full charly toolchain (charly binary + virtualization + gocryptfs + socat).
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-cachyos
development
VerifiedTrustedCommunity
Operator CachyOS workstation profile — a kind:local template + target:local deploy that installs the full dev stack (30 candies) onto a CachyOS host via ShellExecutor. Lives in the overthinkos/cachyos submodule. MUST be invoked before editing or applying the charly-cachyos workstation profile.
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-fedora
tools
VerifiedTrustedCommunity
Fedora box with the full charly toolchain using shared candies. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Same candy list as charly-arch. Includes NVIDIA GPU runtime. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-fedora box.
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-arch
tools
VerifiedTrustedCommunity
Arch Linux box with the full charly toolchain. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Composes /charly-coder:charly-mcp so the box is reachable as an MCP gateway on port 18765. NVIDIA GPU runtime composed in. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-arch box.
SKILL.mdUpdated Jun 10, 2026