1panel Skill
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: 1panel-skill Version: 1.0.0 The 1panel-skill bundle is a comprehensive and well-documented API wrapper for the 1Panel server management dashboard. It implements over 300 tools across 38 modules, covering container orchestration, website management, database administration, and system security. While the skill grants the AI agent significant privileges on the target server—including arbitrary command execution (src/api/terminal.ts) and full file system access (src/api/file.ts)—these capabilities are strictly aligned with the stated purpose of server management. The authentication logic (src/utils/auth.ts) correctly implements 1Panel's token-based security, and there is no evidence of data exfiltration, hardcoded backdoors, or malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-broad agent action could stop services, remove containers, change file permissions, alter databases, modify firewall/SSH settings, or affect production websites.
The skill intentionally exposes broad mutating server-administration APIs to an agent, but the artifacts do not show confirmation gates, resource allowlists, path restrictions, or rollback guidance for destructive operations.
Full access to 580+ API endpoints ... Container lifecycle (create, start, stop, restart, pause, kill, remove) ... File Operations ... delete ... Permissions (chmod, chown) ... MySQL (create, delete, bind user, change password) ... Firewall rules ... SSH management
Use only with explicit human approval for destructive or security-sensitive actions, and prefer a dedicated low-privilege 1Panel API key or host allowlist if 1Panel supports it.
Anyone or any agent process with access to the environment variable may be able to act through the configured 1Panel account.
A 1Panel API key is expected for this integration, but it is also the credential that authorizes the broad server-management actions exposed by the skill.
export ONEPANEL_API_KEY="your-api-key" ... API key from 1Panel Dashboard → Profile → API
Store the API key securely, avoid sharing it across unrelated agents, rotate it if exposed, and use HTTPS and least-privilege/scoped credentials where available.
An unsafe invocation could connect 1Panel AI/MCP functionality to external channels or services, potentially expanding where agent messages, tools, or server capabilities are exposed.
The API wrapper can create or operate MCP servers and update or approve external agent/channel pairings, but the artifacts do not document identity checks, origin boundaries, or approval requirements for these inter-agent connections.
async createMCPServer(params: any) ... async updateAgentDiscordConfig(params: any) ... async approveAgentChannelPairing(params: any)
Manually review and approve any MCP server, AI-agent, or chat-channel configuration changes, and restrict this skill from making those changes autonomously.
Users may assume all 1Panel operations are fully implemented and safe when the included documentation is internally inconsistent.
This coverage report conflicts with other artifacts that claim full or 100% API coverage, which could cause users to over-trust the maturity or completeness of the integration.
**整体覆盖率** | **~49%** ... 覆盖率 = 287 / 584 = 49.1%
Verify critical operations in a test environment and treat the coverage claims as approximate unless the maintainer clarifies which report is current.