ClawHub

SetupOrion ByImpa

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real VPS setup skill, but it needs Review because it performs broad privileged server changes and handles admin credentials in unsafe ways.

Install only on a fresh VPS you control after reviewing the commands. Prefer the signed Docker repository install path, remove `-k` from credential-bearing curl commands, avoid printing tokens or passwords, snapshot the server first, and treat the Portainer API examples as full administrative access that can deploy persistent services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata claims a narrower role focused on VPS setup with Docker Swarm, Traefik, and Portainer, but the body also provisions PostgreSQL and a WhatsApp-oriented Evolution API stack. This scope expansion increases attack surface and can mislead users into running extra internet-facing services they did not intend to deploy.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Including Evolution API for WhatsApp integrations materially extends the skill beyond baseline VPS/bootstrap automation and introduces an additional externally reachable application with its own authentication, database, and Redis dependencies. In the context of an auto-executing setup skill, this creates unnecessary exposure and increases the chance of accidental deployment of a sensitive messaging platform component.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The generic Portainer API section teaches the skill user how to deploy arbitrary new stacks, which goes beyond the declared purpose of setting up the base VPS environment. This effectively turns the skill into a generalized remote deployment launcher, increasing the blast radius if credentials or tokens are mishandled.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill prints sensitive material such as the Portainer JWT token, PostgreSQL password, and Evolution API key directly to the console. Console output is often captured in shell history, CI logs, terminal recording, or remote session logs, which can lead to credential disclosure and full administrative compromise of deployed services.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill performs broad administrative changes including package upgrades, hostname changes, service enablement, swarm initialization, and stack deployment, yet presents them as routine and idempotent without a strong up-front warning about destructive or environment-altering effects. Users may run it on the wrong host or underestimate the permanence and exposure of these changes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal