ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

btpanel files 宝塔面板文件管理

v1.0.1

宝塔面板文件管理技能,提供远程服务器文件/目录浏览、读取、编辑、创建、删除、权限管理等基本文件操作能力

0· 85·0 current·0 all-time
byaapanel.com@aapanel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (BT-Panel file manager) matches included code and CLI scripts (files.py, download.py, unzip.py, bt-config.py, bt_common client libraries). Required binary (python3) is appropriate. There are no unexpected cloud credentials or unrelated binaries requested.
Instruction Scope
SKILL.md describes listing, reading, editing, creating, deleting files, changing permissions and how to add a server (including API token). The instructions explicitly advise not to read sensitive local files, and to confirm destructive operations. However, the skill — by design — can read/write any path on the remote panel (including sensitive files) if the provided API token permits it; the docs’ guidance is advisory and not enforced by the code.
Install Mechanism
No install spec is present (instruction-only installation), and the code is pure Python scripts included in the package. No external arbitrary downloads, shorteners, or remote installers are used by the package itself.
Credentials
The registry metadata lists no required env vars or primary credential, but the skill requires the BT-Panel API token (entered via bt-config and persisted to a config file) to operate. Storing tokens in a local config file (~/.openclaw/bt-skills.yaml or project config) is expected for this purpose, but the lack of a declared primary credential in metadata is an omission the user should be aware of.
Persistence & Privilege
Skill does not request always: true and does not modify other skills. It stores server credentials/configs in its own config file (typical). The normal model-invocation behavior (disable-model-invocation: false) is unchanged.
Assessment
This package is a coherent BT-Panel remote file manager: it needs you to add a panel host and API token (via bt-config) and then can list, read, edit, create, delete, download, and unzip files on that remote server. Before installing or using it: (1) only provide an API token with the minimum necessary privileges; avoid using a full-admin token if you can create a limited one; (2) back up important configuration before allowing edits or deletes; (3) be cautious with the download/unzip features — they can fetch and place files on the server (potentially dangerous if pointed at untrusted URLs); (4) confirm where the token is stored (the README/SKILL.md references ~/.openclaw/bt-skills.yaml) and protect that file; (5) if you need stronger guarantees, review the bt_common bt_client code to verify how requests/credentials are handled and whether SSL verification or certificate pinning is enforced. The package metadata’s omission of a declared primary credential is a documentation gap (not necessarily malicious) — verify configuration steps before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk976jtqfyz5ng07sstrwzen4y9845vbx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3

Comments