ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

dxyz-cPanel

v1.0.0

Manage cPanel hosting accounts via API for version 134.0.11 and compatible versions. Supports account management, DNS zones, email accounts, databases (MySQL...

0· 57·0 current·0 all-time
by@picodozbotdoz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name, README, SKILL.md and included scripts all implement cPanel/WHM API operations (accounts, DNS, email, DB, backups). However the registry metadata declares no required environment variables or primary credential even though the runtime explicitly requires CPANEL_HOST and CPANEL_TOKEN (and optionally CPANEL_USER/CPANEL_CONFIG). The missing declaration is an incoherence that could surprise users.
Instruction Scope
SKILL.md and scripts instruct the agent to run curl via exec and to read files (e.g., cert.pem for SSL install) and to load a local config (~/.cpanel/config.json). Those actions are consistent with the stated functionality, but they permit reading local files and the local config file—so verify which local files the agent will be asked to access.
Install Mechanism
No install spec or remote downloads; the skill is instruction-plus-local-scripts only. That reduces supply-chain risk because nothing arbitrary is fetched or auto-executed from external URLs during install.
!
Credentials
Registry claims no required env vars or primary credential, yet all scripts and docs rely on CPANEL_HOST and CPANEL_TOKEN (and optionally CPANEL_USER or a config file path). This mismatch is a material omission: the skill will need a privileged API token which is not advertised in the registry metadata.
Persistence & Privilege
The skill does not request always:true and does not attempt to alter other skills or global agent settings. It includes helper scripts stored in the skill workspace that the agent may execute, which is typical for this kind of skill.
What to consider before installing
Before installing: (1) Expect to provide CPANEL_HOST and CPANEL_TOKEN — the skill needs a cPanel/WHM API token with appropriate ACLs; registry metadata failing to declare those is an omission. (2) Only grant the token the minimal permissions required (e.g., createacct, listaccts, DNS, Email, Mysql) and consider scoping by IP and expiration. (3) Review the included scripts (under scripts/) yourself; they will read ~/.cpanel/config.json (if present) and can read local files (e.g., cert.pem) when you run SSL/install commands. (4) Do not run these scripts with an over-privileged token on production servers until validated in a test/staging environment. (5) Confirm the publisher/source before trusting the skill (homepage is missing and owner ID is unfamiliar). (6) If you proceed, rotate tokens after testing and monitor API usage/logs in WHM for unexpected activity.

Like a lobster shell, security has layers — review code before you run it.

latestvk971mzk5e2htp8gjr0nmqjywj5839j8a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments