3x-ui VPN Server Setup
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: 3x-ui-vpn-setup Version: 1.0.0 The skill bundle automates the deployment and hardening of a 3x-ui VPN server (Xray proxy). It performs high-privilege operations including SSH configuration, firewall management (UFW/fail2ban), and kernel hardening, all of which are strictly aligned with its stated purpose of securing a VPS for proxy use. While it executes external scripts and binaries (3x-ui installer and RealiTLScanner from GitHub), these are standard tools within the VPN community. The skill follows security best practices by enforcing non-root user access and disabling password authentication, and it provides a transparent 'guide file' for the user to manage their credentials.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If followed on the wrong machine or with incorrect values, the instructions can significantly change or break server access.
The skill grants the agent file and shell capabilities, and the visible workflow uses them for root-level server setup, package upgrades, user creation, firewalling, and SSH changes.
allowed-tools: Bash,Read,Write,Edit
Use only on a fresh VPS, review each command before execution, and keep provider console or snapshot recovery available.
Anyone or any agent executing these steps with the provided credentials can fully administer the server.
The skill asks for the VPS root password and then creates/administers privileged accounts, which is expected for server setup but gives full control over the VPS.
**Root password** -- from provider email
Use a fresh server, rotate temporary passwords after setup, avoid sharing credentials beyond the session, and verify SSH key access before disabling password/root login.
The server setup depends on the current contents and availability of an external installer script.
The optional TLS path downloads and executes an external installer at runtime without pinning a version or checksum.
curl https://get.acme.sh | sh
Prefer official packaged installation where possible, or verify the installer source, version, and checksum before running it.
Anyone who can read that guide file may obtain VPN or panel access details.
The workflow says it will generate a guide file containing credentials, creating a persistent sensitive artifact.
Generate guide file (credentials + instructions)
Store the guide securely, avoid committing it to repositories or shared folders, and delete or encrypt it once the user has saved credentials safely.
Visitors may be misled into thinking the server is a real cloud storage login page, creating phishing-like or abuse risk even though the sample form does not submit credentials.
The optional fallback instructions explicitly encourage creating a realistic fake login page, including email and password fields, to make the server look like another service.
Generate a realistic-looking page. Example -- fake cloud login:
Do not deploy fake login pages; use a truthful static placeholder, personal site, or no fallback page instead.