1panel-install
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill matches its stated purpose, but it can run a downloaded installer as root and leave persistent server services running, so it should be reviewed before use.
Install only on a server you intend to administer, review and verify the downloaded 1Panel package before allowing root execution, protect the returned username/password, change the password immediately, restrict the panel’s network exposure, and avoid running the test script on production systems.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user asking to configure or deploy 1Panel could cause immediate system-level changes without a separate review of what will be installed or how to undo it.
The skill instructs automatic execution for broad trigger phrases and explicitly lacks an uninstall function, while the flow performs root-level system installation.
当用户说"安装 1Panel"、"部署 1Panel"、"配置 1Panel"等请求时,自动执行安装流程。 ... 此 skill 不包含卸载功能
Require explicit confirmation before running the installer, show the planned paths/services/ports first, and provide a clear rollback or uninstall procedure.
A stale or tampered workspace package could be reused and then executed with root privileges.
The script trusts a pre-existing extracted directory or a newly downloaded archive and does not show checksum/signature verification before use.
if [[ -d "$TAR_DIR" ]]; then ... "安装包已存在,跳过下载" ... tar -xzf "$TAR_FILE" -C /root/.openclaw/workspace/
Verify the archive with a pinned checksum or signature, avoid trusting pre-existing extracted directories, and recreate the workspace from a verified source.
If the download source, archive, or extracted installer is compromised, the installer could take full control of the server.
The root-required script downloads an external package and executes the contained install script automatically with preset answers.
curl -fSL --retry 3 --retry-delay $retry_delay "$ONEDRIVE_URL" -o "$TAR_FILE" ... if echo -e "2\n\nn" | ./install.sh; then
Run only on an intended server, verify the official source and package integrity, and prefer a reviewed/pinned installer before granting root execution.
The chat/session may contain the new panel’s admin username and password, and the installer has root-level authority on the server.
Root privilege and returning initial admin credentials are expected for this installation task, but they are sensitive.
此脚本需要 root 权限安装系统服务。如果当前用户不是 root,提示用户使用 sudo 执行。 ... 面板用户:<随机生成的用户名> 面板密码:<随机生成的密码>
Use this only on a server you control, protect the transcript/output, and change the generated panel password immediately after installation.
A long-running server management panel will remain active and may be reachable over the network until disabled or removed.
The persistent service behavior is disclosed and purpose-aligned, but it means the installed software continues running after the agent action ends.
安装过程会自动配置 systemd 服务
Confirm that you want a persistent 1Panel service, restrict network access, and disable or uninstall it when no longer needed.
Running the test script on a production server could interrupt an existing 1Panel installation or cause downtime if the restore step is not completed.
The manual test script can move, stop, disable, and remove 1Panel components while simulating an uninstalled state.
mv /opt/1panel "$BACKUP_DIR/" ... systemctl stop 1panel-core ... systemctl disable 1panel-core ... rm -rf /opt/1panel
Do not run test.sh on production systems; test in a disposable environment or make an independent backup first.