ClawHub

3x-ui VPN Server Setup

Security checks across malware telemetry and agentic risk

Overview

This VPN setup skill is mostly coherent, but it includes risky credential handling and an optional fake login fallback page that users should review carefully before installing.

Install only for a fresh, dedicated VPS and only if you are comfortable giving the agent root/server-admin authority. Do not use the fake cloud login fallback; replace it with a truthful static page. Redact passwords from generated guides and chat summaries, avoid sshpass/plaintext password commands, and review all downloaded installer and root-level commands before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill explicitly claims passwords are never stored in files, yet later instructs generating a guide file containing credentials. This contradiction encourages operators to persist sensitive secrets in plaintext, increasing the risk of credential theft from the local machine, backups, or chat/file sync systems.

Intent-Code Divergence

Critical
Confidence
99% confidence
Finding
The guide template stores the sudo password and 3x-ui panel password in a reusable document, directly violating the stated security rule. Persisting both server-admin and panel credentials in plaintext creates a durable compromise artifact that can grant full server control if the file is exposed.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Embedding instructions to install sshpass and automate password-based login expands the skill beyond simple VPN setup into insecure credential automation on the user's workstation. Using plaintext passwords in command arguments exposes them to shell history, process listings, and logs.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The file explicitly instructs creation of a realistic fake cloud login page as camouflage for the proxy service. Even though the form is described as cosmetic, the deceptive presentation is unrelated to legitimate VPN operation and encourages impersonation-style behavior that can facilitate phishing, social engineering, or evasion of scrutiny.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide template instructs storing multiple credentials locally without a clear warning that the file is highly sensitive. Even if intended for user convenience, it normalizes unsafe secret handling and increases exposure through local compromise, backups, cloud sync, or accidental sharing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The sshpass instructions use a plaintext password without warning about command-line exposure and workstation-side leakage. This is dangerous because many systems retain shell history and permit other local users or monitoring tools to observe process arguments.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The instructions perform system-changing operations including package installation, enabling a new Nginx site, deleting the default enabled site, and reloading the service, but do not clearly warn the user about service disruption or configuration replacement. On a fresh VPS this may be acceptable, but the skill claims to guide beginners and the lack of explicit warning increases the risk of accidental breakage or overwriting an existing web setup.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The markdown not only permits but promotes a deceptive fake login page, framing it as a way to make the server appear like a normal site and advising users to keep it realistic. That is a strong indicator of intent to conceal the true service and normalize deceptive content without legitimate operational need or informed opt-in.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The command sets panel credentials directly on the shell command line, which can expose the username and password through shell history, process listings, terminal logging, and remote audit logs. In this skill's context, the credentials are for an internet-facing admin panel on a root-managed VPS, so leakage materially increases takeover risk.

Ssd 3

High
Confidence
98% confidence
Finding
The skill directs the model to persist and later disclose collected credentials, including administrative secrets, in a generated guide and summary. This creates unnecessary secret duplication across files and chat transcripts, widening the attack surface far beyond the server itself.

Ssd 3

High
Confidence
97% confidence
Finding
The fallback to reveal the full credential guide directly in chat can expose all access secrets in conversation history, which may be retained, synced, or reviewed later. Chat disclosure is especially risky because it defeats the limited-file-scope assumption and broadens exposure to anyone with transcript access.

Ssd 3

High
Confidence
99% confidence
Finding
The guide file embeds reusable credentials and access details for SSH sudo and the 3x-ui control panel. Because these are live administrative secrets, any leakage of the file can enable unauthorized server management or complete takeover.

Ssd 3

High
Confidence
96% confidence
Finding
The embedded instructions explicitly ask another model session to use and transmit the server password for automated setup. This encourages propagation of secrets across model contexts and tools, increasing the chance of inadvertent disclosure, logging, or misuse.

Ssd 3

High
Confidence
98% confidence
Finding
The completion summary instructs printing passwords and other secrets back to the user in chat, causing long-term exposure in transcript history. Re-displaying secrets after setup is unnecessary and materially increases leakage risk.

Ssd 4

Medium
Confidence
97% confidence
Finding
The skill provides step-by-step guidance and full HTML/CSS for a realistic fake login page specifically as a cover story for the service. This materially lowers the barrier to deploying deceptive infrastructure and can be repurposed for phishing or operational concealment, making it more dangerous in the context of a remote server setup skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal