btpanel
WarnAudited by ClawScan on May 18, 2026.
Overview
This skill mostly matches BT-Panel server monitoring, but it handles powerful panel API tokens in persistent config and may expose full configuration output without enough registry warning.
Use this skill only if you trust it with BT-Panel administrative access. Prefer a least-privilege or dedicated panel token, restrict the token/IP access in BT-Panel, keep the config file private, avoid running config show unless tokens are redacted, and confirm the exact server scope before broad monitoring or log commands.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A panel API token could be stored or displayed in agent output/transcripts if full configuration is shown, potentially exposing access to the server panel.
The CLI requires a BT-Panel API token, passes it into saved server configuration, and the show command prints the loaded config with no redaction visible in this script. BT-Panel tokens can carry server-administration authority.
add_parser.add_argument("--token", "-t", required=True, help="API Token") ... add_server(... token=args.token ...); ... print(json.dumps(config, ensure_ascii=False, indent=2))Declare the BT-Panel credential and config path in metadata, redact tokens in show/list/error output, store config with restrictive permissions, and ask the user before displaying any configuration.
If used on an untrusted network, an attacker could intercept or tamper with panel traffic when SSL verification is disabled.
The skill supports disabling TLS certificate verification for self-signed BT-Panel certificates. It defaults to verification and tells the AI to ask the user, but disabling verification weakens protection for the API token in transit.
自签名证书场景 ... python3 {baseDir}/scripts/bt-config.py add ... --verify-ssl falseUse trusted certificates where possible; only use --verify-ssl false for known self-signed panels on trusted networks, and rotate tokens if exposure is suspected.
The agent may retrieve logs from multiple servers, which can include IP addresses, domains, error details, or accidentally logged secrets.
When no single server is selected, the log script iterates all configured BT-Panel clients and reads service log files through the panel API. This is purpose-aligned, but it is broad operational data access.
all_clients = manager.get_all_clients() ... response = client.get_file_body(log_path)
Specify --server and --service when possible, limit --lines, and avoid pasting or saving sensitive log output unless needed.
Users may need to install packages manually, and dependency versions may vary by environment.
The skill relies on external Python packages installed outside a formal install spec. This is expected for the skill, but package versions and provenance are not tightly pinned in the registry artifacts.
安装依赖: ```bash pip install requests pyyaml ```
Install dependencies from trusted package indexes, preferably in a virtual environment, and consider pinning reviewed versions.