Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
SetupOrion ByImpa
v1.0.0Setup completo de VPS Ubuntu/Debian para produção com Docker Swarm, Traefik v3 (SSL/HTTPS automático), Portainer CE e rede overlay. Baseado no SetupOrion v2.8.0. Executa todos os comandos automaticamente.
⭐ 0· 985·0 current·0 all-time
by@impa365
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (VPS setup for Docker Swarm, Traefik v3, Portainer) matches the instructions, which perform system updates, install Docker, initialize Swarm, create networks/volumes and deploy Traefik/Portainer. However the registry metadata claims no required environment variables while SKILL.md declares multiple required/sensitive env vars (hostnames, domain names, admin passwords, DB password, API key). That metadata mismatch is an incoherence and reduces provenance.
Instruction Scope
Instructions explicitly run system-wide commands as root/sudo (apt installs, hostname changes, systemctl, writing /root/traefik.yaml, using /var/run/docker.sock) and will configure services and credentials on the host — this is expected for a VPS setup but is high-impact. The doc instructs downloading and running external scripts (curl -fsSL https://get.docker.com | bash) and writing configs which is risky. The instructions reference and require many environment variables declared inside SKILL.md; they do not read unrelated system secrets, but they do modify global system state.
Install Mechanism
This skill is instruction-only (no install spec) so nothing is written by the platform itself. The runtime steps fetch software from official locations (get.docker.com, download.docker.com, Docker images on registries). Using curl | bash to install Docker and pulling container images is common but considered risky because it executes remote code without local review. No unknown/personal URLs or archive extraction are present in the visible portion.
Credentials
SKILL.md requires several sensitive env vars (VPS_PORTAINER_PASS, VPS_POSTGRES_PASS, VPS_EVOLUTION_API_KEY, email and domain names). Those values are plausible and proportional for configuring the services, but the registry-level metadata reported earlier showed 'no required env vars' — a mismatch that could hide secret requirements from users. The skill will create and store those credentials on the VPS; ensure you trust the source before supplying secrets.
Persistence & Privilege
The skill does not request persistent platform-level privileges (always:false) and is user-invocable. It instructs making persistent changes to the target VPS (service installs, system config), which is appropriate for its purpose. There is no evidence it attempts to modify other skills or platform config.
What to consider before installing
This SKILL.md is a full automated VPS setup that will run many root-level commands and requires you to supply admin passwords and API keys. Before running it: 1) Review the entire SKILL.md yourself — don't blindly pipe commands into a shell. 2) Note the registry metadata omitted the env vars that the script expects; prepare the required secrets locally and do not paste them into untrusted places. 3) Prefer running the steps manually or in a controlled staging VM first so you can inspect files (traefik.yaml, docker stacks) before they are applied. 4) Be cautious of the curl | bash Docker installer — if you want safer review, install Docker via your distro packages or inspect the installer script first. 5) Back up the server, and ensure DNS and Let's Encrypt limits are understood. If you don't trust the skill's unknown source/homepage, treat it as untrusted instructions rather than an approved package.Like a lobster shell, security has layers — review code before you run it.
latestvk972fakytz8ac3b5za7a5k971d80wz8j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.