ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mobazha Standalone Setup

v0.1.0

Deploy a self-hosted Mobazha store on any Linux VPS using Docker. Use when the user wants to set up a standalone store on a server.

0· 15·0 current·0 all-time
by@fengzie
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (deploy a standalone Mobazha store) aligns with the instructions (SSH to a VPS and run an installer). However the installer references a default SaaS API URL (https://app.mobazha.org) and a --saas-url flag, which implies contacting an external service by default despite being described as 'standalone' — this is unexpected and should be clarified.
!
Instruction Scope
The SKILL.md instructs the agent to accept and use user-supplied SSH passwords or keys, run 'curl -sSL https://get.mobazha.org/standalone | sudo bash' on the remote server, stop system services, modify firewall rules, and install systemd timers and binaries. These actions require high privileges on the target machine and involve handling sensitive credentials; the skill metadata does not declare or scope these credentials, and the instructions do not require verifying the downloaded installer before execution.
!
Install Mechanism
There is no formal install spec in the skill bundle; instead the instructions instruct piping an installer from get.mobazha.org directly into bash (download-and-execute). The domain is a project-specific host (not a well-known release host like GitHub Releases), which increases risk because arbitrary code will be executed on the target as root unless the user inspects the script first.
!
Credentials
The registry metadata lists no required environment variables or credentials, yet the runtime instructions explicitly request SSH passwords or keys from the user and tell the agent to use them. The references also show SAAS_API_URL as a configurable env var with a default external URL — requiring or defaulting to external SaaS connectivity is potentially out-of-scope for a 'standalone' installer and increases data-exfil/telemetry risk.
Persistence & Privilege
The installer will make persistent changes on the target VPS (install Docker, write files under /opt/mobazha, install /usr/local/bin/mobazha-ctl, and create a systemd timer for auto-updates). This persistence is expected for an installer, and the skill does not request always:true or other elevated platform privileges. Still, these persistent components are powerful and warrant review of the installer code before running.
What to consider before installing
This skill largely does what it says (deploy a Docker-based store), but stops short of being fully safe or self-contained. Key things to consider before using it: 1) Never blindly run 'curl | sudo bash' from an unfamiliar domain — download the installer (curl -sSL https://get.mobazha.org/standalone -o installer.sh) and inspect it before executing. 2) Prefer using SSH keys over passwords and avoid sharing long-lived credentials with agents; if you must provide credentials, use ephemeral credentials or run commands yourself on the VPS. 3) The installer defaults to contacting https://app.mobazha.org unless you override SAAS_API_URL — if you expect an entirely self-hosted deployment, confirm what network calls the installer and services make. 4) Back up your VPS and test in a disposable VM first; review the mobazha-ctl script and the docker-compose files under /opt/mobazha after install. 5) If you don't trust get.mobazha.org or need stronger guarantees, request the install scripts from a verifiable source (GitHub release or repo) and verify signatures. 6) Be aware the skill's metadata does not declare the sensitive credentials it asks you to provide in practice — treat credential handling as risky and prefer manual installation if unsure.

Like a lobster shell, security has layers — review code before you run it.

latestvk97by5qv61m131wf8x2kv04ezx859wc0
15downloads
0stars
1versions
Updated 5h ago
v0.1.0
MIT-0
@fengzie
latest
Download

Standalone Store Setup

Deploy a fully independent Mobazha store on any Linux VPS with a single command. Docker-based with automatic updates.

Official guide: https://mobazha.org/self-host

Prerequisites

  • A Linux VPS (Ubuntu 22.04+ or Debian 12+) with 2+ CPU cores, 2+ GB RAM, 20+ GB SSD
  • Root or sudo access
  • (Optional) A domain name pointed to the VPS IP

Recommended VPS Providers

ProviderSpecPrice
Hetzner2 vCPU / 4 GB / 40 GB SSD~€4.5/mo
Contabo4 vCPU / 8 GB / 50 GB SSD~€6/mo
DigitalOcean2 vCPU / 4 GB / 80 GB SSD~$24/mo
Vultr2 vCPU / 4 GB / 80 GB SSD~$24/mo

Step-by-Step Deployment

Step 1: Connect to Your VPS

If the user provides an IP and password, connect via SSH:

ssh root@<IP_ADDRESS>

If the user provides an SSH key, use:

ssh -i <KEY_PATH> root@<IP_ADDRESS>

Step 2: Install the Standalone Store

For a full list of installer flags and post-install file locations, see references/install-flags.md.

Zero-config (most common):

curl -sSL https://get.mobazha.org/standalone | sudo bash

With a pre-configured domain (enables auto-TLS via Let's Encrypt):

curl -sSL https://get.mobazha.org/standalone | sudo bash -s -- --domain shop.example.com

Privacy mode with Tor:

curl -sSL https://get.mobazha.org/standalone | sudo bash -s -- --overlay tor

Using testnets (for trying things out without real money):

curl -sSL https://get.mobazha.org/standalone | sudo bash -s -- --testnet

Flags can be combined:

curl -sSL https://get.mobazha.org/standalone | sudo bash -s -- --domain shop.example.com --overlay tor --testnet

Step 3: What Happens During Installation

The installer automatically:

  1. Installs Docker if not already present
  2. Downloads the Docker Compose configuration to /opt/mobazha/
  3. Generates a unique API key
  4. Starts the Mobazha services (node, frontend, reverse proxy)
  5. Sets up a systemd timer for hourly auto-updates
  6. Installs the mobazha-ctl management CLI to /usr/local/bin/

Step 4: Complete the Store Onboarding

Open the store admin panel in a browser:

  • With domain: https://shop.example.com/admin
  • Without domain: http://<VPS_IP>/admin

On first visit, a Setup Wizard appears with 4 steps:

  1. Set admin password — required before anything else
  2. Store profile — name, description, avatar
  3. Region and currency — country and display currency
  4. Done — dashboard unlocked, next steps suggested

For the full onboarding walkthrough (including API-based setup by AI agents), see the store-onboarding skill.

After onboarding, consider connecting your AI agent to the store for hands-free management — see the store-mcp-connect skill.

Step 5: Verify the Installation

mobazha-ctl status

Or check the health endpoint:

curl -sS http://localhost/healthz

Management Commands

CommandDescription
mobazha-ctl statusShow service status
mobazha-ctl logsView service logs
mobazha-ctl set-domain <domain>Add or change the store domain
cd /opt/mobazha && docker compose downStop all services
cd /opt/mobazha && docker compose up -dStart all services
cd /opt/mobazha && docker compose pull && docker compose up -dManual update

Adding a Domain Later

If you installed without a domain and want to add one:

  1. Point your domain's DNS A record to the VPS IP
  2. Run: mobazha-ctl set-domain shop.example.com
  3. The store will automatically obtain a TLS certificate

Enabling Privacy Overlay Later

You can enable Tor or Lokinet after installation from Admin → System → Network in the store dashboard, without re-installing.

Backup and Restore

Store data lives in /opt/mobazha/data/. To back up:

cd /opt/mobazha && docker compose down
tar czf ~/mobazha-backup-$(date +%Y%m%d).tar.gz data/
docker compose up -d

Troubleshooting

Port 80/443 already in use

Stop existing web servers (Apache, Nginx) before installing:

systemctl stop nginx apache2 2>/dev/null; true

Firewall blocking ports

Allow HTTP/HTTPS traffic:

ufw allow 80/tcp && ufw allow 443/tcp

Or with firewalld:

firewall-cmd --permanent --add-service=http --add-service=https && firewall-cmd --reload

Check container logs

cd /opt/mobazha && docker compose logs -f

Credential Handling

If the user provides a VPS IP and root password:

  1. Use SSH to connect to the VPS
  2. Run the installation command
  3. Report the store URL back to the user
  4. Remind the user to change the default SSH password for security

Never store or log credentials. After the session, credentials are not retained.

Comments

Loading comments...