Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
FastapiAdmin WSL 自动部署
v1.0.0将 FastapiAdmin 在 Windows WSL2 Ubuntu 环境下自动部署。包括环境检查、依赖安装(pip/pnpm/MySQL/Redis/Nginx)、前后端代码克隆与构建、Nginx SPA 路由修复(alias+try_files 循环问题)、WSL2 网络访问(宿主机浏览器访问)、SSL...
⭐ 0· 53·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (WSL2 FastapiAdmin deployment) match the instructions: they install system packages, clone repo, build frontend/backend, configure Nginx and SSL, and enable host access. Required items declared (none) are consistent with an instruction-only skill.
Instruction Scope
The SKILL.md instructs the agent/operator to run many privileged system changes: apt installs, start system services, run sudo cp to /etc/nginx/nginx.conf, generate and place private keys under /etc/nginx/ssl, create a MySQL user and grant privileges, and modify frontend env files. Those are within deployment scope, but they are high-impact operations and include risky guidance (hardcoded DB password 'fastapiadmin123', suggestion to edit Windows hosts to map WSL2 IP to localhost). There are minor inconsistencies (Nginx server_name service.fastapiadmin.com vs self-signed cert CN=localhost and the hosts mapping guidance).
Install Mechanism
Instruction-only skill — no install spec. Commands download get-pip.py from bootstrap.pypa.io and clone from gitee.com; these are standard but will write files and install packages when run. No opaque external binary downloads or archive extractions beyond git/apt/npm/openssl usage.
Credentials
The skill does not request environment variables, but it instructs creating credentials and files on-disk: it creates a MySQL user with a hardcoded weak password and writes a private key to /etc/nginx/ssl. Those secret-handling choices are disproportionate/unprotected by default. The instructions do not recommend using unique strong passwords, secret storage, or verifying remote repo integrity before cloning.
Persistence & Privilege
Although the skill itself is not persistent (always:false), the runtime actions it prescribes require root privileges and modify system-wide configuration (installing services, overwriting /etc/nginx/nginx.conf, placing SSL keys). That gives the procedure a high blast radius if executed blindly; this is appropriate for deployment but risky without review and backups.
What to consider before installing
This SKILL.md is coherent with deploying FastapiAdmin on WSL2 but contains high-impact, privileged commands and some unsafe defaults. Before running anything: 1) Review every shell command line-by-line and run them manually (don’t run the whole script as-is). 2) Replace the hardcoded DB password with a strong unique password and store it securely. 3) Back up existing /etc/nginx/nginx.conf before overwriting. 4) Consider using proper TLS (Let’s Encrypt) or generate certs with correct CN/server_name instead of the provided self-signed CN=localhost. 5) Avoid mapping a remote IP to 'localhost' on Windows — prefer using a custom host name and update server_name accordingly. 6) Verify the git repositories (confirm authors and commit history on gitee) before cloning and building. 7) Run package installs and service starts interactively so you can observe and revert changes. If you want, I can: produce a reviewed, safer step-by-step script with prompts for secrets, or highlight exact lines you should change before running.Like a lobster shell, security has layers — review code before you run it.
deploymentvk97dcv4mhdbxhpeas4r3r5rnk183z8svfastapiadminvk97dcv4mhdbxhpeas4r3r5rnk183z8svlatestvk97dcv4mhdbxhpeas4r3r5rnk183z8svnginxvk97dcv4mhdbxhpeas4r3r5rnk183z8svubuntuvk97dcv4mhdbxhpeas4r3r5rnk183z8svwslvk97dcv4mhdbxhpeas4r3r5rnk183z8sv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.