Back to skill

Security audit

Setup Automatik

Security checks across malware telemetry and agentic risk

Overview

This VPS installer mostly matches its stated purpose, but it needs Review because it asks for powerful server access and under-discloses telemetry and credential-handling risks.

Install only if you intentionally want an agent to administer a VPS. Prefer a fresh or snapshotted server, use temporary SSH keys instead of passwords or long-lived private keys, review or restrict the installer before running it, block or remove Orion telemetry if that data flow is not acceptable, and rotate SSH, Portainer, SMTP, and app credentials after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises shell/file capabilities and operational behavior, but does not declare permissions or clearly scope what access is required. In a VPS-management context, undeclared execution capability is dangerous because users may grant broad trust without understanding that the skill can read files and run commands on infrastructure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose focuses on VPS installation/management, but the referenced behavior includes telemetry to a third party, storage of Portainer credentials/tokens, and authenticated API actions not transparently disclosed to the user. In this context, hidden telemetry and secret retention materially increase risk because the skill handles administrative access to production servers and orchestration platforms.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script explicitly collects the host IP and transmits it with tool/status metadata to an external Orion telemetry endpoint. For a VPS installer running as root, outbound disclosure of infrastructure details to a third party without explicit informed consent is a real privacy and operational security issue, especially because it can reveal the user's server inventory and deployment activity.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This finding is effectively another instance of the telemetry behavior: the installer sends per-tool lifecycle events to an external service. In the context of a root-level VPS management script, this increases exposure by revealing what software is being installed and when, which can aid profiling of the environment.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The SMTP test flow collects full mail credentials and then prints them back to the terminal, expanding exposure beyond what is necessary for installation. On a multi-user host, recorded shell session, or shared admin environment, this can directly leak mailbox credentials that may also unlock other services.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill asks users to provide root SSH credentials or private keys directly in chat without prominent warnings, safer alternatives, or secret-handling constraints. This is highly dangerous because disclosure of these credentials grants full server compromise, and chat channels are often inappropriate for transmission or long-term storage of administrator secrets.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The telemetry function sends the machine IP and tool/status metadata to a remote endpoint without a dedicated warning or consent flow. In a privileged deployment script, silent outbound reporting undermines operator expectations and leaks sensitive infrastructure metadata.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script stores Portainer domain, username, password, and JWT token in plaintext under /root/dados_vps/dados_portainer. Anyone obtaining root access, backups, logs, or accidental file disclosure gains immediate administrative access to Portainer and potentially the managed Docker environment.

Missing User Warnings

High
Confidence
99% confidence
Finding
The SMTP password is displayed back to the terminal during the test flow, exposing a live credential in cleartext. This is dangerous because terminal logs, screen recordings, shell history capture tools, or nearby observers can recover the password and compromise the associated email account.

External Script Fetching

High
Category
Supply Chain
Content
#### Option 1: OpenClaw Node Pairing (Recommended)
This is the most secure and native way. It allows the agent to execute commands directly on your VPS terminal.
1. Run the installer on your VPS: `curl -fsSL https://get.openclaw.ai | sh`
2. Start the pairing process: `openclaw node pair`
3. Paste the resulting pairing code or command here in the chat.
Confidence
99% confidence
Finding
curl -fsSL https://get.openclaw.ai | sh

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.