ClawHub

btpanel phpsite 宝塔面板PHP网站

Security checks across malware telemetry and agentic risk

Overview

The skill is a real BaoTa PHP site-management integration, but it handles powerful server access and credentials with several under-scoped safety gaps.

Install only if you are comfortable giving the skill administrative BaoTa panel access. Treat its config file as secret, avoid using commands that print full config or database passwords in shared sessions, and require explicit confirmation before site, file, database, or SSL changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (20)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document states that sensitive data such as database passwords and SSL private keys should not be proactively disclosed, but later examples normalize plaintext secret output. This contradiction can cause an agent to reveal credentials in chat transcripts, logs, or reports where they may be retained or exposed to unintended parties.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The WordPress deployment walkthrough includes database credentials in command lines, temporary files, and the final completion message. That pattern exposes secrets through shell history, process listings, temporary file residue, and conversational output, making credential compromise much more likely on shared or logged systems.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The client exposes extensive system, security, SSH, firewall, task, and service monitoring capabilities that materially exceed the declared PHP website management scope. In an agent skill context, this scope expansion increases the chance of collecting sensitive infrastructure data without clear user expectation or least-privilege boundaries, which can enable reconnaissance and privacy/security overreach.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
get_file_body accepts an arbitrary path and sends it to the panel file-read endpoint, creating a generic file-reading primitive unrelated to ordinary PHP site management. If higher-level agent logic exposes this method to untrusted prompts or broad user input, it can be used to retrieve sensitive files such as configs, keys, credentials, or logs from managed servers.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This module exposes broad remote file-system capabilities including arbitrary read, write, create, delete, and permission changes on the managed server, which materially exceeds a narrowly scoped PHP site-management function. In an agent setting, this creates a powerful primitive for destructive actions, secret extraction, webshell placement, and tampering with unrelated system files if higher-level callers do not enforce strict path and action restrictions.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The set_file_access method allows changing ownership and permissions for arbitrary paths, optionally recursively, without any visible validation or scoping. This can be abused to weaken protections, take control of application files, expose sensitive data, or make malicious files executable/persistent across the server.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The `show` command outputs the entire loaded configuration in YAML or JSON, which will include stored API tokens and other sensitive server connection details. In a CLI/admin environment this is still dangerous because terminal output may be captured in shell history, logs, screenshots, CI job output, or shared support sessions, causing credential disclosure and potential unauthorized panel access.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The module persists panel API tokens to disk in YAML without any evident file-permission hardening, encryption, or user warning about secret storage. In the context of a server-management skill, exposure of these tokens could allow unauthorized administrative actions against managed BaoTa panels if the config file is readable by other local users or included in backups.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The write_file convenience method performs remote file modification directly and suppresses read errors with a broad exception, but offers no confirmation, preview, or safety gating before overwriting server files. In an agent workflow, this increases the chance of accidental destructive edits or abuse to implant backdoors or corrupt website content.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The delete_dir method allows remote directory deletion with no built-in confirmation, approval step, or scope restriction. Even if the backend uses a recycle bin, this still enables high-impact disruption of websites, application data, and operational files when invoked by an agent or compromised caller.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The delete_file method enables arbitrary remote file deletion without confirmation or path constraints. This can be used to disable applications, remove logs, delete configuration or certificate files, and otherwise undermine integrity and availability of the managed server.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The command prints full configuration data without warning, and the code gives no indication that secrets such as API tokens are filtered before display. Because this tool manages access to remote panel servers, exposing tokens in plain text materially increases the risk of credential theft and unauthorized administrative actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script includes BT_CONFIG_PATH and active configuration path values in structured output without redaction or an explicit warning. Environment variables and config paths can contain sensitive filesystem locations or even embedded secrets, so emitting them to logs or AI consumers may leak operationally useful information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The show command serializes and prints the entire loaded configuration, which likely includes API tokens for managed servers. In a CLI or agent context, stdout is often logged, captured in transcripts, or exposed to other users/processes, so this can directly leak credentials and enable unauthorized access to the panel instances.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script collects BT_CONFIG_PATH and may print it in JSON or human-readable output without warning or redaction. Environment variables often contain sensitive filesystem paths or even embedded secrets, so exposing them can leak operational details to logs, consoles, or downstream parsers.

Missing User Warnings

High
Confidence
99% confidence
Finding
The info command prints the database password directly to stdout, which can expose credentials in terminal history, logs, CI output, shell capture, or remote agent transcripts. In an agent skill context, stdout is often surfaced to users or stored by orchestration systems, making credential leakage especially dangerous.

Missing User Warnings

High
Confidence
99% confidence
Finding
Echoing the newly set password to stdout leaks a fresh valid credential to any party that can view terminal output, command logs, agent traces, or monitoring captures. Because this tool manages production databases, the exposed password could enable immediate unauthorized access or lateral movement.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The delete command can remove the site, its files, database, and FTP account immediately based only on CLI flags, with no confirmation prompt, dry-run, or secondary safeguard. In an administrative automation skill, this increases the risk of accidental or scripted destructive actions causing irreversible data loss.

Missing User Warnings

Low
Confidence
88% confidence
Finding
On certificate-application failure, the script automatically reads a remote server log file and prints filtered lines to local stdout. Server logs can contain sensitive operational details, domain data, paths, tokens, or challenge/debug output, so automatically disclosing them to whoever runs or captures the CLI output creates an unnecessary information exposure channel.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly instructs the AI to expose generated database credentials and setup details in its final response. In the context of a server-management skill, this is especially dangerous because outputs may be stored in platform logs, audit trails, or shared chat sessions, turning operational setup into credential leakage.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal