Setup Automatik
Security checks across malware telemetry and agentic risk
Overview
This skill is intended to administer a VPS, but it asks for broad server access and can run a large installer script that may make major system changes.
Install only if you deliberately want the agent to administer a VPS. Prefer a disposable or freshly snapshotted server, use temporary credentials or a dedicated SSH key, review the installer script and commands before execution, and rotate or remove access after the work is complete.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If mishandled, the agent or anyone with access to the chat could gain broad control over the user's server.
This asks the user to provide credentials or keys that can grant full administrative control of the VPS.
Provide the agent with your VPS connection details: ... Username (usually `root`) ... SSH Password OR Private Key
Use a dedicated temporary key or tightly scoped account where possible, avoid pasting long-lived root passwords or private keys, and revoke or rotate credentials after the task.
A mistaken instruction or unsafe script path could install, reconfigure, or disrupt services on the VPS.
Direct or non-interactive execution of a broad VPS installer can make major system changes without clearly documented approval gates or rollback controls.
The skill can extract specific installation blocks or execute the script directly in non-interactive mode when possible.
Confirm each installation step before execution, review the exact commands or script block, and take a server snapshot or backup before using the skill.
Users have less provenance information to verify that the bundled installer matches a trusted upstream source.
The package is intended to run a high-privilege installer, but the registry metadata does not provide a verifiable source or homepage for the skill.
Source: unknown; Homepage: none
Inspect `assets/SetupOrion.sh`, compare it with a trusted upstream copy if available, and only run it on servers where you are comfortable granting installer-level privileges.