ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

VPS Fusion Monster Server Test

v1.0.0

Run full VPS performance and network tests across CPU, memory, disk, streaming unlock, IP quality, routing, latency, and multi-node speed with no extra depen...

0· 150·0 current·0 all-time
by@spiritlhls
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (VPS performance & network tests) match the provided scripts: run.sh fetches a goecs binary and runs full tests; analyze.sh parses results. Requesting no credentials and writing cache to ~/.cache/clawchimera is reasonable for this purpose. However, use of non-standard CDN mirrors (cdn0.spiritlhl.top, cdn3.spiritlhl.net, cnb.cool) for binary distribution is not strictly necessary and raises questions about why direct GitHub releases wouldn't be the preferred/verified source.
!
Instruction Scope
SKILL.md/run.sh instructs the agent to download a remote precompiled binary and execute it locally (necessary for this wrapper). The skill also enables result uploading by default (-upload true) and uses external IP geolocation services (ipapi.co, ip-api.com). analyze.sh can optionally invoke a local AI tool (--call-ai). The download-and-execute step plus default upload behavior broaden the data/execution surface beyond simple local benchmarking.
!
Install Mechanism
No formal install spec, but run.sh fetches prebuilt binaries at runtime. While it prefers GitHub releases, it probes and may use third‑party CDN prefixes (cdn*.spiritlhl.net, spiritlhl.top) or cnb.cool mirrors. These are not well‑known, audited release hosts; a compromised or malicious mirror can deliver arbitrary binaries. There is no built‑in checksum or signature verification before execution.
Credentials
The skill requires no secrets or cloud credentials (good). It exposes one optional env var CN to force mirror selection. However, the default behavior (-upload=true) will upload test results to a public pasteboard (per skill.json), which may leak IP, routing, or other sensitive metadata; this is not obviously necessary for core functionality and should be opt‑out by default.
Persistence & Privilege
The skill does not request permanent/always inclusion and does not require elevated privileges. It caches binaries to ~/.cache/clawchimera which is reasonable for performance. It warns when run as root but does not require root.
What to consider before installing
This skill is functionally coherent (a wrapper that downloads and runs the goecs benchmark) but has two practical risks: it pulls prebuilt binaries through third‑party CDN mirrors (not all are well‑known) and by default may upload results publicly. Before installing or running: 1) Prefer obtaining the goecs binary directly from the official GitHub release page and verify checksums/signatures if available. 2) Run the skill with -upload=false (or edit skill.json) to avoid automatic public uploads. 3) Consider setting CN=false to force direct GitHub access, or inspect/replace the CDN list in run.sh. 4) If unsure, build the upstream oneclickvirt/ecs from source locally and point run.sh to your locally built binary. 5) Execute first inside an isolated VM/container and inspect the downloaded binary (e.g., check release tags, compare sizes, run strings/ltrace/strace) before trusting it on production systems.

Like a lobster shell, security has layers — review code before you run it.

latestvk978qscve5k2mye17vh1mqjyad833y1z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments