ClawHub

1panel-skills

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed 1Panel operations helper, but it also exposes an unrestricted signed API request tool that could perform admin actions beyond the stated inspection scope.

Install only if you intend to give the agent access to a 1Panel admin API. Prefer a least-privilege API key, HTTPS with certificate validation enabled, a narrow source-IP allowlist, and avoid using the raw request or sign commands unless you explicitly need privileged debugging.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill requires environment variables containing a base URL and API key, but the metadata shown does not declare permissions or clearly scope that access. This creates a mismatch between what the platform may expose and what the skill can actually use, increasing the risk of unintended secret access or execution in overly privileged runtimes.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
README 明确暴露了一个可对任意 1Panel API 路径发起原始签名请求的 CLI,这超出了文档前面反复强调的“查询/检查为主”的技能边界。对于 Agent 技能而言,这种通用带签名请求能力会把原本受模块约束的只读接口扩展成潜在的全权限 API 代理,若运行时或上层提示被滥用,可直接触发未预期的管理操作。

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
文档直接教授用户使用签名 CLI 调用任意 API,这实际上提供了一个任意 API 调用原语,而非单纯的运维查询技能。在拥有有效 API Key 的前提下,这会显著扩大攻击面,使技能可被重新用途为对 1Panel 后端执行未声明的敏感操作。

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The `request` command accepts an arbitrary HTTP method and path, then signs and sends it with the privileged 1Panel API key. That bypasses the skill's declared query/inspection-only action surface and effectively turns the CLI into a generic authenticated API proxy, enabling unreviewed state-changing or destructive operations if a caller supplies mutation endpoints.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The `request` command exposes an unrestricted authenticated HTTP primitive that accepts arbitrary methods and paths, which goes beyond the skill's stated inspection/query purpose and effectively turns the skill into a general-purpose 1Panel API client. In an agent setting, this materially expands capability scope: any prompt or downstream tool invocation that reaches this CLI can perform undocumented or future-sensitive operations, including state-changing requests, if the backing API key permits them.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The `sign` command emits reusable authentication headers derived from the API key and current timestamp, giving callers a standalone way to mint authenticated material outside the higher-level action model. For an inspection-focused skill, this unnecessarily exposes auth internals and enables other tools, prompts, or users to replay those headers against arbitrary endpoints within the token validity window.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
A standalone credential-signing feature is not required to fulfill the declared purpose of querying 1Panel status data, and it bypasses the safer abstraction of predefined module actions. In a toolchain or agent environment, exposing this capability increases the chance of credential misuse, lateral reuse by unrelated components, and policy circumvention by allowing authenticated access without using the intended guardrails.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The client explicitly supports disabling TLS certificate verification through configuration, which enables man-in-the-middle interception or spoofing of the 1Panel API endpoint. Because this skill handles authenticated administrative API requests using token-based headers, turning off certificate validation weakens transport security for sensitive control-plane traffic.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README explicitly instructs users to permit `0.0.0.0/0` and `::/0` for API access during testing, which effectively exposes the 1Panel API to any source IP. In the context of an administrative operations skill that uses a static API key and can inspect sensitive infrastructure state, broad IP allowlisting materially increases the chance of unauthorized access if the key is leaked, guessed, logged, or otherwise exposed.

Missing User Warnings

High
Confidence
98% confidence
Finding
README 建议测试时将 API 白名单放通为 `0.0.0.0/0` 和 `::/0`,等于允许任意来源地址访问 1Panel API,且未配套突出安全警告。对管理面 API 来说,这会把原本应受网络边界保护的接口直接暴露到全网,一旦 API Key 泄露、被猜测或被中间人窃取,后果可直接升级为面板失陷。

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation description is broad enough to match many generic infrastructure or operations requests, which can cause the skill to activate in contexts the user did not specifically intend. In a skill that can access authenticated operational data from 1Panel, over-broad triggering raises the chance of unnecessary exposure of sensitive monitoring, logs, certificate, website, or container information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation describes authenticated HTTP access using an API key and optionally disabling TLS verification, but it does not give an explicit user-facing warning that credentials, logs, and network-returned data may be sensitive. This can lead users or operators to expose secrets or retrieve sensitive operational data without informed consent, and the TLS-skip option further increases interception risk if used casually.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The client will send authenticated requests to whatever scheme is present in ONEPANEL_BASE_URL, including plain HTTP, and it also supports disabling TLS verification. That can expose the derived authentication token, request contents, and response data to interception or man-in-the-middle attacks, which is especially risky for an admin-oriented 1Panel management skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly describes use of an API key-derived authentication scheme, optional TLS verification disabling, and broad access to logs, website configs, and file reads without corresponding warnings about handling secrets or the risks of insecure transport. In a skill intended for agent runtimes, this increases the chance that operators or downstream integrators expose sensitive configuration, credentials, or log data, especially if `ONEPANEL_SKIP_TLS_VERIFY=true` is used in production-like environments.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The CLI prints signed authentication headers directly to standard output with no warning that the output is sensitive, making accidental disclosure through shell history capture, logs, CI output, terminal sharing, or agent transcript retention more likely. Even though the token is derived rather than the raw API key, it is still usable authentication material and should be treated as secret for its validity period.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The request path applies rejectUnauthorized: !this.skipTlsVerify, so outbound HTTPS requests may silently skip certificate validation with no warning, audit event, or user disclosure. In this skill's context, that exposes API responses and authentication material to interception or redirection, especially because the client is intended to query a 1Panel instance that may reveal infrastructure status and operational data.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal