ClawHub

btpanel

Security checks across malware telemetry and agentic risk

Overview

This BT-Panel monitoring skill is mostly legitimate, but it includes under-disclosed remote file-changing powers and can print stored API tokens in full.

Review before installing. Use this only if you trust it with BT-Panel API tokens for the servers you configure. Avoid running bt-config show in shared terminals or chats, protect the YAML config file, prefer SSL verification, and be aware that the package contains remote file write/delete/permission functions beyond normal monitoring.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions, yet its documented and inferred capabilities include shell, network, file read/write, and environment access. This creates a trust-boundary problem: users and policy engines may treat the skill as low-risk while it can access sensitive server data and perform impactful local or remote operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented purpose is operational monitoring, but the analysis indicates broader file-management and modification capabilities, including remote file write, create, delete, and permission changes. That mismatch is dangerous because operators may invoke the skill expecting read-only inspection while it can alter remote systems or expose sensitive files, increasing the risk of accidental misuse or abuse.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The client exposes a generic file-read primitive via get_file_body(path), allowing any caller with access to this skill to request arbitrary panel-accessible file paths rather than only predefined monitoring or log files. In an ops/monitoring skill, that broad capability increases the chance of reading sensitive files such as configuration, keys, or credential-containing logs if upstream controls are weak or absent.

Context-Inappropriate Capability

Low
Confidence
92% confidence
Finding
The get_config_info function returns the value of BT_CONFIG_PATH, exposing environment-derived configuration details to callers. Environment variables often contain sensitive filesystem locations or operational context, and surfacing them unnecessarily increases the risk of information disclosure to an AI agent or downstream consumer.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
This file exposes broad remote file-management capabilities including reading, creating, modifying, and deleting files on managed servers, which substantially exceeds the manifest's stated monitoring/auditing scope. In an agent skill, this kind of scope mismatch is dangerous because users or downstream orchestration may trust it as read-only/observational while it can actually alter server state and sensitive files.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code can change remote ownership and permissions via SetFileAccess, enabling privilege misuse, service disruption, or exposure of sensitive files if invoked on critical paths. Because the manifest frames the skill as monitoring/auditing, this hidden administrative capability is especially risky and inconsistent with least privilege.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The `show` command prints the entire loaded configuration in YAML or JSON, which will include stored API tokens and other secrets if present. In an agent/tooling context, this can disclose credentials to users, logs, transcripts, or downstream systems, enabling unauthorized access to managed BT panels.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The `show` command dumps the full loaded configuration in YAML or JSON, which is likely to include sensitive server API tokens. Printing secrets directly to stdout can leak credentials into terminal history, logs, CI output, chat transcripts, or other monitoring systems, enabling unauthorized access to managed BT-Panel instances.

Missing User Warnings

Low
Confidence
90% confidence
Finding
Exposing BT_CONFIG_PATH through get_config_info can leak environment-derived local paths without clear user awareness. In agent contexts, even seemingly minor path disclosure can aid follow-on attacks by revealing directory layouts, usernames, or the presence of sensitive configuration files.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The write helper performs remote file modification with no user-facing warning, approval gate, or policy check at the point of action. In an agent setting, silent writes increase the chance of accidental or unauthorized configuration changes, code tampering, or operational outages.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The directory deletion operation can remotely remove directories without any built-in confirmation, approval workflow, or guardrails. Even if deletion is implemented as moving to a recycle bin, this can still cause application failures, data loss, or service disruption when triggered unexpectedly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file deletion method allows silent remote deletion of files with no user confirmation or contextual warning. In the context of server administration, this can delete configs, web content, logs, or keys, leading to outages, forensic loss, or weakened security.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Displaying the full configuration without masking sensitive fields exposes API tokens directly to anyone with access to command output, terminal history capture, orchestration logs, or chat transcripts. Because this skill manages server access credentials, the context makes the leak materially dangerous: exposed tokens could permit control or monitoring of production infrastructure.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The `show` command exposes complete configuration data, including credentials, without warning or masking. In operational environments, stdout is often captured by shells, logging agents, orchestration tooling, and support channels, so a simple diagnostic command can become a credential exfiltration path.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal