ClawHub

1Panel API Skills

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only 1Panel server administration skill, but it exposes very broad and sensitive admin actions without enough safety guidance.

Install only if you intentionally want an agent to reference or operate a highly privileged 1Panel server API. Use HTTPS or a trusted private network, store the API key as a secret, rotate it if exposed, prefer least-privilege access where possible, and require explicit human approval before deletes, overwrites, restores, reboot/shutdown, SSH access, shell/script execution, private-key handling, or broad file/database operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (24)

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The API documentation exposes an option to execute arbitrary custom shell script content (`execShell` + `shell`) as part of certificate issuance, which is far broader than normal CA management and creates a direct command-execution capability. In a panel/API context, this can lead to remote code execution, privilege abuse, persistence, or full host compromise if reachable by an agent or insufficiently trusted caller.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The documented SSL create/update APIs include `execShell` and `shell`, enabling arbitrary shell-script execution as part of certificate operations. In an agent skill context, this is far beyond normal SSL lifecycle management and creates a direct path to command execution on the managed host if an agent or user passes attacker-controlled script content.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The upload API supports `local` mode with `privateKeyPath` and `certificatePath`, allowing the caller to reference server-side filesystem paths. In an agent-exposed API, this can be abused to ingest sensitive local files or probe filesystem contents, especially if path validation is weak or if the backend reads arbitrary files on behalf of the caller.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to generate and supply a 1Panel API key for broad server-management operations, but it does not warn that this credential is highly sensitive and can grant administrative control over websites, containers, databases, files, backups, and host settings. In an agent context, omission of secret-handling guidance increases the risk of credential overexposure, unsafe storage, logging, or reuse, which could enable full server compromise if the key is leaked.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill advertises operational control over destructive or high-impact modules such as containers, databases, files, backups, cronjobs, hosts, and settings without warning that actions may create, modify, stop, overwrite, or delete production resources. In a server-administration skill, lack of safety framing makes accidental destructive actions more likely, especially when used through an autonomous or semi-autonomous agent.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The documentation instructs users to submit SMTP credentials, including a password, to a test endpoint over a base URL explicitly shown as plain HTTP. In this skill context, that materially increases the risk of credential exposure in transit or interception by anyone on the network path.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation exposes backup recovery functionality that can restore system data, including from uploaded files, but does not warn that these actions are destructive, system-affecting, or potentially irreversible. In an agent skill context, lack of such warnings increases the chance an automated or human operator triggers restore operations without understanding overwrite, downtime, or data-loss consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents operations that accept sensitive fields such as accessKey, credential, and token-related values without any privacy or handling guidance. In an agent-integrated environment, this can lead to secrets being logged, echoed back to users, stored insecurely, or reused improperly, increasing the risk of credential exposure and unauthorized access to backup storage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documented endpoint performs destructive host-level actions (`reboot` or `shutdown`) and the skill provides no warning, confirmation guidance, privilege note, or operational safety constraints. In an agent skill context, exposing such an action as a normal API call increases the risk of accidental or unauthorized service disruption, especially because this dashboard module also exposes rich system-management capabilities.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill documents destructive disk partitioning and mount operations without explicit warnings about data loss, filesystem overwrite risk, or service disruption. In an agent context, this increases the chance that automation or an inexperienced user could invoke dangerous host-level operations on the wrong device, causing irreversible damage.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Firewall and SSH control actions can immediately sever network access or lock administrators out of the host, yet the documentation omits any warning about these consequences. In a skill meant for broad operational use, that omission makes unsafe automation materially more likely.

Missing User Warnings

High
Confidence
95% confidence
Finding
These endpoints handle highly sensitive SSH material, including private keys and passphrases, and even expose retrieval fields for stored secrets without any credential-handling warning. In an agent skill, normalizing direct access to such data without strong cautions increases the risk of secret disclosure, unsafe logging, and downstream compromise of hosts using those credentials.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
SSH configuration file edits and setting updates can weaken authentication, expose the service, or make the daemon fail to restart, but the documentation does not warn about security or availability impact. In a host-management skill, that omission makes it easier for an agent or user to apply unsafe changes such as enabling root login or disabling key-based protections.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation explicitly describes an endpoint that returns all available system log file paths, including sensitive locations such as /var/log/syslog and nginx logs. Even if it only exposes paths rather than file contents, this leaks system structure and high-value targets that can aid reconnaissance, privilege escalation attempts, or follow-on attacks, and the docs provide no warning about access control or sensitivity.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This endpoint documentation exposes a module update interface that supports arbitrary initialization scripts, package lists, and create/update/delete operations without any warning about code execution or system modification risk. In an agent skill context, this is more dangerous because an LLM-driven agent could treat the interface as routine configuration management and trigger script/package actions that materially alter runtime behavior or enable remote code execution on the managed host.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation explicitly exposes fields such as full command lines, environment variables, open files, and network connections, which commonly contain secrets, internal hostnames, tokens, and sensitive operational metadata. In a system administration context this may be legitimate, but presenting these outputs without any sensitivity warning or redaction guidance increases the chance that integrators expose or log highly sensitive process data insecurely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents an endpoint that returns highly sensitive SSH secrets, including password, privateKey, and passPhrase, and companion endpoints for storing them, without any warning about secret exposure, least-privilege handling, or redaction. In an agent context, this is dangerous because an LLM-powered client may retrieve, display, log, or persist these credentials unintentionally, leading to host compromise and lateral movement if the API is accessible.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This section documents several host-level operations that can directly change system configuration or security state, including password changes, hosts updates, swap changes, config-file writes, and cleanup actions, but provides no warning about confirmation, authorization sensitivity, or operational risk. In an agent skill context, these endpoints could be invoked from natural-language requests and cause lockout, misconfiguration, or destructive cleanup without the user clearly understanding the impact.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documented Fail2ban and FTP endpoints can start/stop security services, alter ban rules, create or delete accounts, and change credentials or access paths, yet the documentation omits warnings about service interruption, loss of access, and account deletion consequences. Because this skill is specifically for infrastructure administration, the absence of cautionary controls makes unintended or over-broad agent actions more dangerous, not less.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
These Clam endpoints allow configuration overwrites, manual scans, record clearing, and optional deletion of infected files, but the documentation does not warn about data loss, scan load, or destructive quarantine/removal outcomes. In an automated skill, such omissions can lead users or agents to trigger file deletion or operationally expensive scans without understanding the consequences.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to submit highly sensitive DNS provider credentials such as API keys, access keys, secrets, and service account JSON, but it provides no warning about secure storage, redaction, logging, least-privilege scoping, or rotation. In an API skill for panel-based website and certificate automation, this omission increases the chance that operators expose credentials in logs, screenshots, chat transcripts, repos, or overprivileged account configurations, which can lead to DNS takeover or broader cloud account abuse.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The delete endpoint removes DNS account records and the documentation does not warn that this is a destructive action that can break automated DNS validation, certificate issuance, or renewal workflows tied to the account. While this is not a direct exploit primitive by itself, the lack of operator warning increases the likelihood of accidental disruption and service-management errors.

Missing User Warnings

High
Confidence
94% confidence
Finding
The documentation presents custom shell-script execution during SSL operations without any safety constraints or warning. Because this skill may be consumed by autonomous agents, normalizing script execution inside a certificate workflow materially increases the chance of unsafe use and host compromise.

Missing User Warnings

High
Confidence
91% confidence
Finding
The docs expose handling of private keys, certificate contents, local key paths, and certificate download behavior without emphasizing that these are highly sensitive secrets. In an agent setting, this increases the risk of credential leakage, insecure storage, accidental exfiltration in logs, or unsafe retrieval of TLS private material.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal