ClawHub

1panel Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real 1Panel administration skill, but it gives an agent broad server-control power without built-in safety gates.

Install only if you trust the publisher and intend to let an agent administer your 1Panel server. Use a least-privileged API key if possible, prefer HTTPS, avoid storing the key in broadly loaded shell profiles, and require human confirmation before any command execution, delete, disk, SSH, firewall, backup restore, or credential-changing action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The tool explicitly exposes an `exec_command` capability that forwards arbitrary user-supplied command strings and working directories directly to `client.execCommand(...)`. In an agent skill, this enables unconstrained shell execution on the managed server, which can lead to full host compromise, data destruction, credential theft, persistence, and lateral movement; the broad server-management context makes this especially dangerous because the skill is designed to operate on privileged infrastructure.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The handler exposes `get_antileech_conf` and `update_antileech`, but these operations are omitted from the declared `websiteTools` list. That creates a capability mismatch where hidden functionality may still be invokable by name, bypassing expected tool disclosure, review, or policy controls. In a server-management skill, undisclosed config-changing operations are especially risky because they affect website request filtering and can alter security behavior without the caller understanding the capability exists.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide tells users to place the 1Panel API key in shell startup files like ~/.bashrc or ~/.zshrc without warning about credential exposure. Persisting secrets in broadly readable config files or inherited shell environments increases the chance of accidental disclosure through backups, logs, shell history, multi-user access, or subprocess environment leakage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises highly privileged, destructive capabilities such as file writes, chmod/chown, firewall and SSH changes, backups/restores, snapshots, and terminal/process management without any guidance on confirmation, authorization boundaries, or operational safety. In an AI-agent skill context, this is dangerous because documentation often shapes default agent behavior; presenting destructive actions as routine examples increases the chance an agent or integrator will invoke system-altering operations without explicit user consent or safeguards.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation promotes broad administrative actions across containers, databases, files, firewall, SSH, backups, and websites, including clearly destructive operations like delete, remove, kill, chmod/chown, and password changes, but provides no warnings about operational risk, outage potential, or irreversible changes. In the context of a server-management skill with 580+ endpoints, omission of guardrails materially increases the likelihood of accidental service disruption, data loss, or security misconfiguration by an agent or user.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to export and use an API key for full server-management access but does not warn that this credential is highly sensitive or advise on secure storage, scoping, rotation, and avoidance of logging. Because the key grants administrative control over infrastructure, careless handling could lead to credential leakage and full compromise of managed systems.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The wget method allows remote download to the server and includes an ignoreCertificate option that can disable TLS validation. In a server-management skill, this materially increases the risk of SSRF, malicious payload retrieval, or man-in-the-middle delivery if untrusted input can reach this method, especially because the client exposes the dangerous flag without any guardrails or restrictions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The tool exposes destructive and state-changing actions like uninstalling and updating applications with no visible confirmation, authorization check, or friction at the tool layer. In an agent context, this increases the risk of accidental, prompt-influenced, or unauthorized execution that can disrupt services or remove required software on managed servers.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This file exposes highly destructive container-management actions such as kill, remove, prune, clean logs, and upgrade through simple tool dispatch with no visible confirmation gate, policy check, role restriction, or safety interlock. In an agent skill for server management, these operations materially increase the risk of accidental or prompt-induced service disruption, data loss, or forensic log destruction if an agent invokes them on untrusted or ambiguous user instructions.

Missing User Warnings

High
Confidence
93% confidence
Finding
The skill exposes a direct disk partition capability through `partition_disk` with no visible confirmation, safeguard, policy check, or indication that this operation is destructive. In an agent context, a mistaken prompt, tool misuse, or prompt-injection-driven action could repartition a live disk and cause irreversible data loss or system outage.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill exposes `mount_disk` and `unmount_disk` as ordinary callable tools without visible disclosure or safety controls, which can disrupt services, hide or replace filesystem contents, or facilitate access to unintended storage. In an autonomous agent setting, these operations can be triggered by ambiguous instructions or adversarial prompts and alter system state in ways the user may not expect.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This file exposes direct configuration-writing primitives for Fail2ban, including arbitrary key/value updates and full file-content replacement, with no visible guardrails, confirmation step, or schema-level restriction on what can be changed. In an agent skill for server administration, these actions can disable protections, corrupt configuration, or lock out legitimate defenses if invoked through prompt manipulation or operator error.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill exposes start/stop/restart operations for Fail2ban and its SSH protection component without any indication of disruption, approval requirement, or contextual warning. In this server-management skill, stopping or restarting these protections can temporarily remove brute-force defense or interrupt expected security controls, making misuse materially risky.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This file exposes highly destructive file-management operations such as delete, move, overwrite-capable rename, chmod, chown, archive extraction, and file writes with no visible confirmation, policy gating, path restrictions, or safety interlocks at the tool layer. In an agent skill for server administration, these primitives materially increase the risk of accidental or prompt-induced destructive actions against arbitrary filesystem locations, including configuration files, application data, and system directories.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The wget_file tool enables remote network download into an arbitrary local path and includes an ignoreCertificate option that can disable TLS validation, but the interface shows no warning, constraint, or approval flow. In a server-management skill, this can be abused to fetch and place untrusted content onto the host, and certificate bypass increases exposure to man-in-the-middle delivery of malicious files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The tool schemas and dispatcher accept highly sensitive secrets such as passwords and private SSH keys and provide connection-testing operations, but there is no visible minimization, redaction, or handling guidance in this layer. In an agent skill context, this increases the chance that credentials are collected, forwarded, logged, or surfaced to the model or downstream systems, which can lead to credential disclosure and unauthorized host access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This file exposes a destructive operation, `clear_recycle_bin`, with no confirmation, safeguard, or contextual warning before invoking the backend action. In an agent skill for server management, that increases the chance of accidental or automated data loss, especially if an LLM or caller triggers the tool with incomplete user intent validation.

Missing User Warnings

High
Confidence
92% confidence
Finding
The skill exposes destructive operations such as `clean_monitor_data`, `kill_process`, `update_ssh_config`, and other state-changing system actions without any visible confirmation, safety gating, or contextual warnings in this layer. In an agent-driven workflow, this increases the risk of accidental or manipulated execution that can disrupt services, erase operational data, or lock administrators out of the server.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal