ClawHub

SUIWARP

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real proxy/VPN server installer, but it uses root-level one-line installs, exposes an admin panel with default credentials, and makes broad persistent VPS changes that users should review before installing.

Install only on a disposable or dedicated VPS you control. Review and pin the remote scripts first, prefer SSH keys with host-key verification, change the S-UI admin password before exposing the panel, restrict ports 2095/2096 by firewall or VPN if possible, and avoid running this on a host that has other workloads or existing firewall/swap policy you need to preserve.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill clearly instructs shell execution and file/system modification but does not declare permissions, which weakens platform-level transparency and consent controls. In a skill that performs root-level deployment, hidden shell and file-write capability increases the chance of users invoking broad system changes without understanding the trust boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill description understates the scope of behavior relative to the actions described, including extra protocols, firewall changes, swap creation, NAT/DNAT rules, and additional services. That mismatch is dangerous because users may authorize a narrow proxy setup while the skill actually performs broader, persistent host reconfiguration that expands exposure and complicates rollback.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script does substantially more than a narrowly scoped proxy deployment: it creates swap, installs packages, rewrites firewall rules, adds iptables DNAT, writes systemd services, alters an application database, and persists multiple services across reboot. In a root-run one-liner installer, this breadth materially increases blast radius and the chance of unexpected host impact even if the author likely intended convenience rather than harm.

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
The metadata advertises 6 protocols, but the script additionally deploys CDN WS relay, ShadowTLS v3, HTTPUpgrade, and Hysteria2 port hopping, plus extra services and files. This discrepancy is a transparency and trust issue: operators may approve a smaller scope than what is actually installed, which is risky for an internet-facing root installer.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The uninstaller goes beyond removing the proxy stack and offers host-level changes such as deleting the system swap file and resetting the firewall to defaults. Even though these actions are interactive, they can cause service disruption, loss of host hardening, or operational outages on a VPS where swap and firewall rules may also protect unrelated workloads.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Managing host swap is outside the core scope of uninstalling a proxy deployment and affects overall system stability, not just this application. Removing /swapfile and editing /etc/fstab can degrade performance or crash memory-constrained systems if the swap file was reused for general host operation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README instructs users to execute a remotely fetched shell script directly via curl and bash, which is a classic supply-chain and remote-code-execution risk. Because the skill targets root SSH setup on a VPS and claims to automate firewall, DNS, and proxy configuration, any compromise of the GitHub account, repository, or network path could result in arbitrary privileged code execution on the host.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README advertises an internet-accessible admin panel with default credentials of admin/admin, which creates an immediate account-compromise path if the service is exposed before the password is changed. In this skill's context, the panel manages a proxy/VPN server and likely runs with elevated privileges or controls sensitive configuration, so takeover could enable full service compromise, credential theft, or use of the server for unauthorized traffic relaying.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill recommends executing a remotely fetched script directly as root via curl-pipe/bash without pinning a version, verifying a checksum/signature, or warning about the extent of system modifications. This creates a high-risk supply-chain and integrity problem: if the remote content changes or is compromised, the host can be fully taken over immediately.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The remote deployment example encourages password-based SSH with the password exposed on the command line and disables host key verification using StrictHostKeyChecking=no. This materially increases the risk of credential leakage through shell history/process inspection and enables man-in-the-middle attacks against the SSH connection, especially dangerous because the command runs as root.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script executes a remote installer directly with bash from a GitHub-hosted URL and also downloads executable binaries later in the script without integrity verification or prior confirmation. Because the script runs as root, any compromise of the remote source, release asset, or transport chain would yield full system compromise.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script performs privileged system modifications early and automatically, including swap creation and persistent changes to /etc/fstab and /etc/sysctl.conf, without an upfront warning or consent flow. This is dangerous in an agent skill context because users may expect application setup, not immediate host reconfiguration with reboot-persistent side effects.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal