Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
btpanel phpsite 宝塔面板PHP网站
v1.0.1宝塔面板 PHP 网站管理技能,提供站点创建、删除、启停、PHP 版本切换、域名管理、SSL 证书管理、伪静态管理、数据库管理等功能
⭐ 0· 44·0 current·0 all-time
byaapanel.com@aapanel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (BT-Panel PHP site management) align with the included Python CLI scripts (site.py, php.py, domain.py, database.py, ssl_cert.py, rewrite.py) and the single required binary (python3). However the registry/metadata described the package as 'instruction-only' / 'no install spec' while the bundle contains many executable code files and a bt_common client — this mismatch is meaningful and should be treated as a packaging/integrity discrepancy.
Instruction Scope
SKILL.md and the scripts instruct the agent to run many local Python scripts against configured panel servers. The scripts read local configuration (~/.openclaw/bt-skills.yaml or BT_CONFIG_PATH), interact with remote panel APIs (using a user-supplied API token), and several CLI commands print sensitive data (e.g., database info and passwords are displayed in database.cmd_info). While these actions are coherent with site management, they increase the risk of exposing secrets and broaden data-access scope beyond simple 'status checks'.
Install Mechanism
No install spec is provided (no automated download/install), which lowers some supply-chain risk, but the package includes many Python scripts and a local bt_common library that will be executed by the agent. Dependencies (requests, pyyaml, etc.) are required per README/check_env but not installed automatically. There are no external download URLs in the supplied files, which is good, but the lack of an explicit install step means the code will run directly from the skill bundle — review source before execution.
Credentials
The skill declares no required environment variables and only requires python3. In practice the scripts read configuration files (GLOBAL_CONFIG_FILE under the user's home, optional BT_CONFIG_PATH) and rely on a user-supplied BT Panel API token (expected for this purpose). They do not request unrelated cloud credentials, which is appropriate. Caveat: the scripts may output sensitive fields from the panel (DB passwords, possibly other secrets returned by the panel API).
Persistence & Privilege
The skill is not marked 'always: true' and does not request elevated platform privileges in metadata. It uses its own config file paths (global config under the user's home) and does not appear to modify other skills' configurations. Autonomous invocation is allowed (platform default) but not combined with high privileges here.
What to consider before installing
This skill largely does what it says — it's a collection of Python CLI tools that operate against a BT-Panel instance using an API token. Before installing: 1) Inspect bt_common/bt_client.py and related files to confirm there are no hardcoded remote endpoints or unexpected network calls; 2) Be aware you must supply a panel API token (the scripts will use and may persist it in ~/.openclaw/bt-skills.yaml); 3) Understand the scripts can read config files and may print sensitive data (database passwords, etc.) — avoid using tokens with broader privileges than necessary and do not share output indiscriminately; 4) The registry claims 'instruction-only' but the package contains executable code — treat this as a packaging mismatch and review the source fully before running; 5) Run in an isolated environment (dedicated VM or container) or review and test scripts locally with non-production credentials first. If you need higher assurance, request the author to provide an explicit install spec, minimal dependency list, and a short security note explaining where secrets are stored and what outputs include.Like a lobster shell, security has layers — review code before you run it.
latestvk9772j8xt4zrr3pkpps0222dgn84446m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3