ClawHub

Hostinger VPS Optimizer

Security checks across malware telemetry and agentic risk

Overview

This is a real VPS optimization skill, but it can make live root-level server changes with weak warnings and controls.

Review this before installing or running it on any production VPS. Only use it if you administer the server, have console or recovery access, and have checked current firewall rules, SSH port, hosted services, and OS compatibility. Treat the performance and cost-saving claims as unverified, and do not run the script blindly because it can affect availability.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase "VPS cost save" is broad enough to match ordinary user requests about reducing hosting costs, which can cause the skill to activate outside a clearly intended optimization context. Because this skill advertises one-click system tuning and hardening actions, unintended invocation could lead to configuration changes being suggested or applied in situations where the user did not explicitly request such changes.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The activation condition triggers on the mere presence of "hostinger VPS" in a message, which is too ambiguous for a skill that may recommend or initiate system-altering actions. Users discussing Hostinger VPS in general, comparing providers, or asking conceptual questions could accidentally invoke an optimizer workflow with operational guidance that is out of scope or unsafe for their situation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill promotes sysctl tuning, web server optimization, firewalling, and hardening, but provides no warning that these are system-altering operations that can affect availability, networking, compatibility, or lock users out of their VPS. In this context, the lack of cautions, prerequisites, rollback guidance, or backup recommendations materially increases the chance of harmful misuse by users who may treat the skill as a safe default.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script performs package installation and firewall reconfiguration directly on the host without any explicit confirmation, dry-run mode, or warning about service disruption and lockout risk. In an agent-skill context, this is security-relevant because executing the skill can materially change system state, expose or block services, and affect remote access unexpectedly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal