btpanel files 宝塔面板文件管理

Security checks across malware telemetry and agentic risk

Overview

This is a real BT Panel file-management skill, but it needs server API tokens and can change, delete, download, unzip, and inspect more server data than its label clearly suggests.

Install only if you trust the publisher and are comfortable letting an agent operate your BT Panel file APIs. Use the least-privileged token available, protect the config file, avoid running config show in shared logs, keep backups, and manually confirm the exact server, path, and effect before delete, overwrite, unzip, download, or recursive permission changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (24)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill exposes powerful capabilities including shell execution, network access, remote file read/write, and access to environment/config data, but declares no permissions or equivalent guardrails. In a user-invocable remote server administration skill, this creates a significant trust and safety gap because agents may invoke destructive or sensitive operations without explicit consent boundaries or policy enforcement.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The documented purpose is file management, but the skill metadata and examples reference broader monitoring, configuration management, connection testing, and potentially other operational functions outside that scope. This mismatch is dangerous because users and orchestrators may grant trust based on the declared purpose while the skill can perform more expansive administrative actions than expected.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The file-management skill declares API endpoints for system monitoring, security logs, SSH info, service inventory, website/project enumeration, database listing, and task/crontab visibility, which materially exceeds a basic file-management scope. In an agent setting, this unnecessary capability expansion increases the blast radius of misuse or prompt-injection-driven tool abuse by exposing sensitive operational data unrelated to the stated purpose.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The client exposes broad server-management and monitoring capabilities far beyond the declared file-management scope, including system status, services, databases, firewall, SSH, logs, and scheduled task visibility. This kind of scope mismatch is dangerous because an agent or downstream caller granted this skill gains powerful infrastructure reconnaissance and administrative access that violates least privilege and materially expands blast radius if misused or compromised.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code can read security, SSH, panel, service, and scheduled-task logs, which commonly contain sensitive operational details, usernames, IPs, paths, errors, and sometimes secrets or tokens. In a file-management skill, this creates an unjustified surveillance and credential-harvesting surface, making unauthorized audit-log access more dangerous because users may not realize the skill can inspect security-relevant telemetry.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The code supports broad enumeration of websites, projects, databases, services, PHP versions, and system status, enabling infrastructure inventory and reconnaissance unrelated to basic file operations. While some metadata access may seem low risk, in aggregate it reveals attack surface, installed software, and service state that can help an attacker prioritize exploitation or lateral movement.

Intent-Code Divergence

Medium

Confidence: 83% confidence
Finding: The script's CLI/help text says it is for a '日志巡检技能包' while the declared skill is a file-management skill. This kind of purpose mismatch is a supply-chain trust problem: operators may execute a script under false assumptions, and the inconsistency increases suspicion because the code audits environment, dependencies, config paths, and adjacent skills unrelated to the stated capability.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: This file-management skill includes broad environment auditing, configuration discovery, and neighboring-skill enumeration that do not clearly match its declared purpose. In a security-sensitive agent ecosystem, such overreach can expose host reconnaissance data and normalize running unrelated inspection code, making the skill more dangerous than its label suggests.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The file explicitly implements arbitrary URL-to-server download capability, while the stated skill scope is basic file management. In an agent context, this expands the attack surface by enabling remote payload staging or retrieval of untrusted content onto managed servers, which is a meaningful capability increase beyond simple browse/read/edit operations.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: This code sends a user-supplied URL to the panel API and causes the remote server to fetch and write external content to a specified path. In practice, that creates a server-side download primitive that can be abused to stage malware, overwrite application assets, or pull attacker-controlled files into sensitive environments, especially because there is no visible restriction on scheme, host, file type, or target directory.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The `show` command prints the full loaded configuration in YAML or JSON, which likely includes stored API tokens for managed servers. Anyone with access to run this command, terminal history, logs, or captured output could obtain credentials and use them to access remote panels.

Missing User Warnings

Low

Confidence: 77% confidence
Finding: The function writes output to an arbitrary caller-supplied path without any validation, restriction, or safety checks. In a skill that already has remote file-management context, this becomes more dangerous because a caller or upstream component could overwrite sensitive files, drop data into web-accessible locations, or clobber configuration/log files if the path is influenced by untrusted input.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The `show` command prints the full loaded configuration directly to stdout, and the configuration evidently includes stored API tokens used for server access. This can leak credentials into terminal scrollback, logs, shell history capture, CI job output, or other monitoring systems, enabling unauthorized access to managed servers.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The rm command directly invokes remote file deletion with no confirmation prompt, dry-run mode, or guardrails. In a file-management skill that operates on remote servers, an accidental invocation, path mix-up, or prompt-injection-driven misuse could irreversibly delete important files and cause service disruption or data loss.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The rmdir command deletes remote directories without any pre-execution confirmation or additional safety checks. Because this skill is specifically designed for remote server file management, mistaken or coerced deletion of a directory can remove entire application trees, configs, or data sets, amplifying operational impact beyond a local CLI mistake.

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: python3 {baseDir}/scripts/files.py stat /www/test.txt # 修改文件权限 python3 {baseDir}/scripts/files.py chmod 755 /www/test.txt # 修改权限并设置所有者 python3 {baseDir}/scripts/files.py chmod 755 /www/test.txt -u www -g www
Confidence: 78% confidence
Finding: chmod 755

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: python3 {baseDir}/scripts/files.py chmod 755 /www/test.txt # 修改权限并设置所有者 python3 {baseDir}/scripts/files.py chmod 755 /www/test.txt -u www -g www # 递归修改目录权限 python3 {baseDir}/scripts/files.py chmod 755 /www/wwwroot -R
Confidence: 82% confidence
Finding: chmod 755

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: **用户意图识别**： - "查看这个文件的权限" → 执行 `files.py stat 路径` - "修改文件权限为 755" → 执行 `files.py chmod 755 路径` - "把这个目录权限改对" → 确认正确权限后执行 `files.py chmod` ## 版本要求
Confidence: 72% confidence
Finding: chmod 755

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: python3 {baseDir}/scripts/files.py stat /www/test.txt # 修改权限 python3 {baseDir}/scripts/files.py chmod 755 /www/test.txt # 修改权限并设置所有者 python3 {baseDir}/scripts/files.py chmod 755 /www/test.txt -u www -g www
Confidence: 78% confidence
Finding: chmod 755

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: python3 {baseDir}/scripts/files.py chmod 755 /www/test.txt # 修改权限并设置所有者 python3 {baseDir}/scripts/files.py chmod 755 /www/test.txt -u www -g www # 递归修改目录权限 python3 {baseDir}/scripts/files.py chmod 755 /www/wwwroot -R
Confidence: 82% confidence
Finding: chmod 755

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ```bash # 删除文件 python3 {baseDir}/scripts/files.py rm /www/test.txt # 删除目录 python3 {baseDir}/scripts/files.py rmdir /www/olddir
Confidence: 88% confidence
Finding: rm /www/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: python3 {baseDir}/scripts/files.py rm /www/test.txt # 删除目录 python3 {baseDir}/scripts/files.py rmdir /www/olddir ``` **用户意图识别**：
Confidence: 90% confidence
Finding: rmdir /www/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ```bash # 删除文件 python3 {baseDir}/scripts/files.py rm /www/test.txt # 删除目录 python3 {baseDir}/scripts/files.py rmdir /www/olddir
Confidence: 88% confidence
Finding: rm /www/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: python3 {baseDir}/scripts/files.py rm /www/test.txt # 删除目录 python3 {baseDir}/scripts/files.py rmdir /www/olddir ``` ### 查看/修改权限
Confidence: 90% confidence
Finding: rmdir /www/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal