ClawHub

VPS Bootstrap

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real VPS setup and recovery skill, but it makes powerful server, firewall, SSH, persistence, and credential-restore changes without enough safety controls.

Install only if you intend to rebuild or recover a VPS and can tolerate system-level changes. Review the scripts first, keep console or out-of-band access available, confirm SSH key login before running bootstrap, and restore only from a trusted backup because it can replace local agent instructions, cron data, secrets, keyrings, and account configuration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill advertises backup/restore to Google Drive and disaster recovery coverage, but the documented behavior does not show the claimed backup implementation and also appears to introduce sensitive key-management actions not clearly disclosed. This mismatch can mislead operators into trusting incomplete recovery guarantees or unexpectedly creating/restoring secrets, which is dangerous in infrastructure automation where omissions or hidden state changes can cause outage, lockout, or credential mishandling.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The restore script imports broad secret material including GPG keys, password stores, OAuth configs, keyrings, and rclone credentials, which extends beyond restoring application state into restoring highly sensitive identity and access artifacts. In a VPS bootstrap/recovery context this is dangerous because a tampered or stale backup can silently replace trusted credentials and grant unauthorized access to external services.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script restores external-service credential material such as GOG config, keyrings, and rclone configuration without demonstrating that these are essential to core OpenClaw recovery. That widens the trust boundary and lets a backup archive inject credentials for unrelated services, potentially persisting access tokens or redirecting sync behavior after recovery.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The restore workflow is described as restoring workspace files, configs, cron state, GPG keys, password store contents, and OAuth credentials, but it does not explicitly warn that existing configuration and secrets may be overwritten. In a VPS recovery or migration context, that can destroy current state, replace trusted credentials, or reintroduce stale or attacker-controlled secrets, causing service compromise or operational lockout.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The quick-start bootstrap instructions tell users to run the bootstrap script on a fresh VPS without an explicit warning that firewall rules and SSH authentication settings may be changed. On a remote VPS, undocumented network-access hardening can lock out administrators or disrupt dependent services, especially if key-based SSH access or port requirements are not validated first.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script modifies SSH authentication settings non-interactively, disabling password authentication and root login without validating that the current operator has working key-based access. On a remote VPS, this can lock out administrators and create an availability incident, especially because the script reloads SSH immediately after editing the config.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script overwrites workspace files, config, cron data, GPG material, and other secret stores without any confirmation, dry run, backup of current state, or warning about replacement. In a disaster-recovery workflow this is especially risky because operators may run it under stress, and a malicious or incorrect archive can irreversibly replace trusted local files and credentials.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
log "Node.js already installed: $NODE_VER"
else
    log "Installing Node.js ${NODE_MAJOR}..."
    curl -fsSL https://deb.nodesource.com/setup_${NODE_MAJOR}.x | sudo -E bash - 2>/dev/null
    sudo apt-get install -y -qq nodejs 2>/dev/null
    log "Node.js $(node --version) installed"
fi
Confidence
97% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# --- Step 5: Security baseline ----------------------------------------------
if [ "$ENABLE_FIREWALL" = "true" ]; then
    log "Configuring UFW firewall..."
    sudo ufw --force reset >/dev/null 2>&1
    sudo ufw default deny incoming >/dev/null
    sudo ufw default allow outgoing >/dev/null
    sudo ufw allow ssh >/dev/null
Confidence
91% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
log "Node.js already installed: $NODE_VER"
else
    log "Installing Node.js ${NODE_MAJOR}..."
    curl -fsSL https://deb.nodesource.com/setup_${NODE_MAJOR}.x | sudo -E bash - 2>/dev/null
    sudo apt-get install -y -qq nodejs 2>/dev/null
    log "Node.js $(node --version) installed"
fi
Confidence
97% confidence
Finding
sudo -E

Tool Parameter Abuse

High
Category
Tool Misuse
Content
# --- Step 5: Security baseline ----------------------------------------------
if [ "$ENABLE_FIREWALL" = "true" ]; then
    log "Configuring UFW firewall..."
    sudo ufw --force reset >/dev/null 2>&1
    sudo ufw default deny incoming >/dev/null
    sudo ufw default allow outgoing >/dev/null
    sudo ufw allow ssh >/dev/null
Confidence
95% confidence
Finding
--force reset

Chaining Abuse

High
Category
Tool Misuse
Content
log "Node.js already installed: $NODE_VER"
else
    log "Installing Node.js ${NODE_MAJOR}..."
    curl -fsSL https://deb.nodesource.com/setup_${NODE_MAJOR}.x | sudo -E bash - 2>/dev/null
    sudo apt-get install -y -qq nodejs 2>/dev/null
    log "Node.js $(node --version) installed"
fi
Confidence
98% confidence
Finding
| sudo

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal