ClawHub

Hostinger VPS MCP Tools

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it gives broad infrastructure and root-level authority with risky defaults that users should review before installing.

Install only if you are comfortable granting a Hostinger API token and running root-level provisioning scripts on a fresh VPS. Review the scripts first, use the least-privileged and rotatable Hostinger token available, verify SSH host keys yourself, avoid public RDP/webchat exposure, prefer VPN or tunnel access, remove or narrow passwordless sudo, and rotate any token that may have been displayed or entered in shell commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill clearly instructs use of shell commands, environment variables, SSH, and remote script execution, yet it declares no permissions. This creates a transparency and consent problem because an agent or user may invoke infrastructure-changing operations without an explicit capability declaration and review boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The documented behavior goes beyond simple VPS deployment and includes credential vault usage, local config mutation, MCP server registration, tool enumeration, and extra integration/security setup. This mismatch weakens informed consent and can hide sensitive side effects such as persistent credential storage or unrelated system changes from users relying on the summary description.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The implemented handlers primarily manage Hostinger API credentials, local config files, and tool discovery rather than performing the VPS deployment and workstation setup described in the skill manifest. This mismatch is dangerous because it expands the skill's actual behavior into sensitive local credential/config management, which can mislead users and reviewers about what the skill really does.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code searches for, reads, and rewrites shared local configuration and secret-vault files under the user's home directory, affecting broader agent settings outside a narrow VPS setup scope. This creates risk of unintended credential exposure, configuration tampering, or persistence in a place users may not expect this skill to touch.

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
The comments state the token is not stored plaintext in mcporter, but the fallback logic still reads a plaintext API_TOKEN from mcporter configuration for backward compatibility. This inconsistency can cause reviewers and users to overestimate protections and may perpetuate insecure legacy secret storage.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script disables SSH host key verification with StrictHostKeyChecking=no and UserKnownHostsFile=/dev/null for both initial and subsequent connections, which removes SSH's protection against man-in-the-middle attacks. Because this skill performs full remote provisioning as root, an attacker able to intercept or redirect traffic could impersonate the server and receive or alter the setup commands, making the impact substantially worse in this deployment context.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The deployment workflow provisions new VPS instances and therefore can incur real billing charges and create externally reachable infrastructure, but the instructions do not prominently warn about those consequences. Users or agents could trigger costly or unintended account changes without a clear confirmation step.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The one-command and stepwise instructions execute scripts over SSH as root and perform broad system changes including firewall rules, user creation, GUI installation, Docker setup, and application deployment. Without a prominent warning and confirmation, this creates a high risk of destructive or insecure changes to the target VPS, especially if the host or ports are wrong.

Missing User Warnings

High
Confidence
99% confidence
Finding
The UI renders the Hostinger API token in clear text inside a code block after configuration, exposing a sensitive credential to anyone with screen access, screenshots, browser recording, shoulder-surfing, or client-side inspection. In this skill context, the token can enable VPS and potentially billing-related API operations, making credential disclosure materially dangerous.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation tells users to add Telegram, Discord, and Slack credentials but does not include any guidance on secure handling, storage, or rotation of those secrets. In a VPS deployment skill for AI agents, this omission increases the chance that operators place bot tokens in plaintext configs, share them insecurely, or commit them to repositories, which can lead to account takeover or abuse of connected channels.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script creates a permanent passwordless sudo rule for the 'koda' user, which means any compromise of that account immediately becomes full root compromise with no additional authentication barrier. In the context of an internet-facing VPS intended to run remote access and agent software, this materially increases blast radius and makes follow-on privilege escalation trivial.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script queries ifconfig.me to determine the server's public IP, which sends network-identifying metadata to an external third-party service without notice or consent. While the data exposure is limited, this creates an unnecessary outbound dependency and leaks deployment information during a privileged setup flow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script makes broad, system-wide hardening changes immediately and non-interactively, including SSH configuration edits, service disablement, sysctl changes, and permission changes. In the context of remote VPS deployment, these actions can unintentionally lock out administrators or disrupt required services, creating an availability and operational security risk even if the intent is defensive.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script downloads and immediately executes a remote installer as root using a shell pipe, but does not warn the operator that they are trusting live code from the network with full system privileges. This is dangerous because a compromised upstream script, MITM in a misconfigured environment, or unexpected installer change can result in arbitrary code execution and full host compromise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script automatically runs `tailscale up --ssh`, and when an auth key is supplied it authenticates non-interactively without warning that this changes remote access posture by enabling Tailscale SSH and joining the device to a tailnet. In a VPS deployment context, that can unintentionally expose administrative access to identities in the tailnet and alter how the server is reachable.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script writes private keys and client VPN configurations directly to disk under /etc/wireguard without warning, lifecycle controls, or explicit permission checks beyond the current umask. Those files grant network access and may be exposed through backups, operator mishandling, or overly broad filesystem access, especially since the script also renders the client config as a QR code to the terminal.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script embeds the Pipedream bearer token into a local JSON-backed mcporter configuration via a command-line header value, creating a persistent secret-at-rest on disk without any permission hardening or warning. If the config file or home directory is read by another local user, backup system, or support process, the API credential could be exposed and abused to access or manipulate the connected Pipedream integration.

Credential Access

High
Category
Privilege Escalation
Content
- Consider headless mode if GUI not needed

**MCP tools not loading?**
- Verify token is saved: check `~/.openclaw/secrets.json` for `HOSTINGER_API_TOKEN`
- Run: `API_TOKEN=your-token mcporter list hostinger-api`
Confidence
78% confidence
Finding
secrets.json

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
echo ""
fi

# Allow koda user to sudo without password (for automation)
echo "koda ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/koda

# Change SSH port if non-default
Confidence
97% confidence
Finding
sudo

Tool Parameter Abuse

High
Category
Tool Misuse
Content
echo "[1/3] Installing cloudflared..."
curl -fsSL https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o /tmp/cloudflared.deb
dpkg -i /tmp/cloudflared.deb
rm /tmp/cloudflared.deb

# Install as service with token
echo "[2/3] Configuring tunnel..."
Confidence
95% confidence
Finding
rm /tmp/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal