ClawHub

Setup Automatik

Security checks across malware telemetry and agentic risk

Overview

This VPS installer has a legitimate purpose, but it needs Review because it requests powerful server access while under-disclosing telemetry, secret storage, and broad administrative changes.

Install only if you are comfortable granting this skill administrative control of a VPS. Prefer scoped, temporary access over sharing root passwords or private keys in chat, take a server snapshot first, review the exact SetupOrion commands you will run, expect telemetry to Orion unless removed, and rotate SSH, Portainer, SMTP, and application credentials after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill clearly enables sensitive capabilities such as file access and shell execution on a remote VPS, yet it does not declare permissions or present corresponding safeguards. This reduces transparency for users and reviewers, making it easier for high-risk actions to be invoked without informed consent or proper policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose is VPS installation and management, but the referenced behavior includes telemetry exfiltration, plaintext credential storage, token retention, external API management, and branding modifications unrelated to the stated function. This mismatch is dangerous because users may grant highly privileged access expecting routine deployment assistance while the underlying automation performs broader, less transparent actions involving secrets and outbound data transfer.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script collects the host IP and posts installation status/metadata to an Orion-controlled endpoint without clear, informed opt-in. In an installation skill running with elevated privileges on a VPS, undisclosed outbound telemetry is a real security and privacy risk because it leaks infrastructure details to a third party and creates an external dependency/channel not required for local installation.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The telemetry function is unrelated to the core purpose of installing and managing VPS software and silently transmits host metadata off-box. Because this skill is meant to manage infrastructure, unexpected network egress increases risk and reduces user control over sensitive operational data.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The script stores Portainer URL, username, password, and JWT token in plaintext under /root/dados_vps/dados_portainer. Plaintext persistence of reusable administrative credentials is dangerous because anyone with root access, backups, logs, or accidental file exposure can fully compromise Portainer and any managed Docker stacks.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The installer fetches and executes remote bootstrap content and downloads code from multiple external sources, including curl-piped shell execution and git/wget retrieval. This is dangerous because a compromised upstream, MITM, or repo change can turn the installer into a remote code execution vehicle on the target VPS, often with root privileges.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill asks users to paste SSH passwords or private keys directly into chat without prominent warnings, secure handling guidance, or safer alternatives. Chat channels are often logged, retained, or exposed to intermediaries, so requesting raw privileged credentials creates a serious risk of credential theft and full server compromise.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill describes direct command execution on the user's VPS but does not clearly warn that these actions can modify system state, install software, alter networking, and potentially break services. In a high-privilege server-management context, lack of explicit risk disclosure makes accidental destructive use more likely.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script transmits host IP, tool name, and status to a remote endpoint without a clear warning or consent flow tied to that behavior. In the context of a VPS management installer, covert or poorly disclosed telemetry is particularly risky because it reveals infrastructure metadata from a privileged environment.

Missing User Warnings

High
Confidence
99% confidence
Finding
Writing Portainer credentials and token to disk in plaintext is a direct secret-handling weakness. Since the skill administers Docker/Portainer on a VPS, compromise of these files can grant broad control over deployed services and secrets across the host.

Missing User Warnings

High
Confidence
99% confidence
Finding
The SMTP test workflow prints the entered SMTP password back to the terminal in plaintext. This exposes sensitive credentials to shoulder-surfing, terminal scrollback, session recording, logging, and shared console history, which is especially dangerous on admin-managed VPS sessions.

Ssd 3

High
Confidence
98% confidence
Finding
Instructing users to paste node-pairing material or full SSH credentials into chat exposes privileged access artifacts through an insecure handling path. If those materials are intercepted, logged, or reused, an attacker could gain direct administrative control over the VPS and any hosted applications or secrets.

External Script Fetching

High
Category
Supply Chain
Content
#### Option 1: OpenClaw Node Pairing (Recommended)
This is the most secure and native way. It allows the agent to execute commands directly on your VPS terminal.
1. Run the installer on your VPS: `curl -fsSL https://get.openclaw.ai | sh`
2. Start the pairing process: `openclaw node pair`
3. Paste the resulting pairing code or command here in the chat.
Confidence
95% confidence
Finding
curl -fsSL https://get.openclaw.ai | sh

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal