Skip to main content
Source attribution. This page reflects samples/homebox-audit/README.md in the usezombie repo. The zombie is currently README-only — it is a design reference, not yet an install target. Follow zombiectl install homebox-audit progress in the repo.
A quarterly audit for your homelab, run by a zombie. Periodic health check, prioritized report, shareable with your future self.

What it checks

  • Outdated containers — image age, known CVEs.
  • TLS certificates — expiring certs, broken chains, self-signed on public hosts.
  • Default credentialsadmin/admin on Grafana, anonymous access on Prometheus, unprotected dashboards.
  • Exposed ports — services reachable from the public internet that probably shouldn’t be.
  • Missing backups — inferred from volume inspection (volumes with no known backup sidecar).
Produces a prioritized report you can act on in one sitting.

Good reasons to run it

  • You forgot when you last updated Home Assistant.
  • You have no idea whether your Jellyfin is on the public internet.
  • Your Let’s Encrypt cert renewed… or didn’t.
  • You want a monthly “state of the homelab” report to your own email.

What it won’t do

  • Update anything.
  • Rotate secrets.
  • Change configs.
v0.2 adds proposed remediations behind approval gates.

Example run

zombie
→ Homebox audit ready. Run the full sweep? [Y/n]
> y

[00:00] Enumerating containers across 3 Docker hosts + 1 k3s cluster
[00:08] 47 containers, 12 deployments, 8 stateful apps
[00:15] Checking image ages...
        → 14 containers on images > 6 months old
        → 3 containers on images > 12 months old (jellyfin, immich, paperless)
[00:22] Probing TLS on public endpoints...
        → 6 certs valid, 1 expiring in 9 days (nextcloud.home.example)
[00:31] Scanning for default credentials on known services...
        → grafana has default admin/admin
[00:40] Audit complete.

--- Homebox audit report (2026-04-20) ---

Critical (fix this week):
  1. nextcloud.home.example TLS cert expires in 9 days
  2. grafana has default admin/admin credentials

High (fix this month):
  3. jellyfin on image released 2023-11-02 (14 months old)
     → 4 known CVEs, 1 high severity
  4. immich image is 10 months stale

...

Tools and policy

Authored as one SKILL.md + one TRIGGER.md. The tools the zombie can invoke — docker, kubectl, tls-probe — are named in TRIGGER.md as bare tool names. The read-only policy is prose inside the SKILL.md prompt: “enumerate only; never change configs, never update images, never rotate secrets; stop at the report.” Credentials: a Kubernetes kubeconfig and SSH access to Docker hosts. Worker placement is inside your homelab, so those credentials never leave your network. See samples/homebox-audit/README.md in the repo for the full manifest.