Deploy Xray VLESS using 3X UI on your VPS
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to match its stated VPS-deployment purpose, but it deserves review because it can make root-level server changes and runs unpinned third-party installers/images.
Install only if you intentionally want this agent to administer a dedicated Ubuntu/Debian VPS. Review the scripts first, take a VPS snapshot, verify the Docker/ACME/3X-UI sources, use SSH keys where possible, and confirm the firewall reset will not block any other services you need.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an upstream installer, image tag, or network-delivered script changes unexpectedly or is compromised, the VPS could be altered or compromised at root level.
The bootstrap executes downloaded installer scripts on the root-managed VPS and deploys an unpinned latest-tag container image, without visible checksum or version pinning.
curl -fsSL https://get.docker.com -o /tmp/get-docker.sh
sh /tmp/get-docker.sh
...
curl -fsSL https://get.acme.sh | sh -s email="${ACME_EMAIL:-}"
...
image: ghcr.io/mhsanaei/3x-ui:latestReview the external scripts before use, prefer pinned Docker/ACME installation methods, pin the 3X-UI image by version or digest, and run this only on a dedicated, backed-up VPS.
On a VPS that runs other services, this could break packages, change exposed ports, interrupt traffic, or remove firewall rules the user expected to keep.
The update workflow changes the whole host package set, updates containers, restarts services, and resets the firewall to a narrow rule set, not just the 3X-UI application files.
apt upgrade -y
docker compose -f "${WORKDIR}/docker-compose.yml" pull
...
ufw --force reset >/dev/null
ufw default deny incoming >/dev/null
ufw allow "${SSH_PORT}/tcp" >/dev/null
ufw allow 80/tcp >/dev/null
ufw allow 443/tcp >/dev/nullUse the skill only on a dedicated VPS or take a snapshot first; confirm no other services need inbound ports before running deploy or update scripts.
Anyone who sees the SSH password or panel admin password could control the VPS or 3X-UI panel.
The skill explicitly requires privileged server access and panel administrator credentials; this is purpose-aligned but sensitive.
Collect these before doing any work: - `ssh target` for the VPS, preferably `root@host` - optional plain-text SSH password if the host is password-auth only - public domain pointed at the VPS - optional ACME email - panel admin username and password
Prefer SSH keys over passwords, avoid pasting credentials into shared logs or chat transcripts, and rotate the panel/SSH credentials after setup if they were exposed.
The VPS will continue running 3X-UI/nginx until the user deliberately stops or removes them.
The deployment intentionally creates persistent services that continue running after the script finishes.
restart: unless-stopped ... systemctl enable --now nginx
Make sure persistence is intended, document the installed paths and services, and plan an uninstall/rollback procedure before deployment.