ClawHub

Aapanel 5h3ll

Security checks across malware telemetry and agentic risk

Overview

This is a real aaPanel administration skill, but it gives OpenClaw broad production-server control with weak safeguards around destructive actions and stored admin tokens.

Install only if you intend to let OpenClaw administer aaPanel servers, not just monitor them. Use dedicated least-privilege aaPanel tokens if possible, protect ~/.openclaw/bt-skills.yaml with restrictive permissions, avoid printing full config in shared logs, keep SSL verification enabled where possible, and manually review any command that deletes data, changes firewall rules, revokes certificates, changes passwords, downloads remote URLs, overwrites files, or applies recursive permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions while its documented behavior clearly includes shell execution, network access, reading and writing files, and persistent configuration changes. This creates a dangerous trust gap: users and any permission-gating system may treat it as low-risk even though it can administer remote servers and modify sensitive state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The top-level description frames the skill as monitoring and file management, but the documentation exposes a much broader administrative control plane including site lifecycle, database and FTP account management, firewall modification, SSL provisioning/revocation, remote downloads, and PHP reconfiguration. Understating this scope increases the chance of unintended invocation and unsafe delegation of highly privileged actions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest description understates the skill's administrative power compared with the rest of the file, which includes broad server-management capabilities. This is risky because operators and automated routing may classify it as observational tooling when it can actually change security posture, credentials, sites, and data.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This endpoint catalog exposes powerful administrative operations including SSL issuance/revocation, site creation/deletion, FTP account management, firewall allow/deny changes, and task enumeration. In a skill described primarily as server monitoring and file management, bundling these capabilities materially expands the privilege and action surface, increasing the chance of unintended destructive changes or abuse if higher-level authorization and tool scoping are weak.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The skill description emphasizes monitoring, logs, and file operations, but this client also exposes broad administrative capabilities such as site creation/deletion, domain changes, SSL lifecycle changes, FTP account management, and firewall modification. In an agent context, this is dangerous because hidden write-capable operations materially expand what the skill can do beyond what a user would reasonably expect, increasing the risk of unauthorized or unsafe infrastructure changes.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code can add and remove firewall rules, including whitelisting and blacklisting IPs, despite the skill description not clearly presenting firewall administration as part of its purpose. In an autonomous or semi-autonomous agent setting, such capability can lock out administrators, expose services, or disrupt production access, making the mismatch especially risky.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The client manages FTP accounts, including creating users, deleting users, and changing passwords, but the skill description does not disclose account-management functionality. This hidden credential-management surface can be abused to create persistence, exfiltrate files, or break access for legitimate users.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The show command prints the full loaded configuration in YAML or JSON, which likely includes stored API tokens for managed servers. In a monitoring/file-management skill context, exposing raw secrets on stdout materially increases credential disclosure risk through console history, logs, transcripts, or downstream tool capture.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file explicitly implements database administration functionality ('Create, delete databases and manage users') even though the skill metadata describes server monitoring, logs, cron jobs, and file operations. This scope mismatch is dangerous because it grants operators or upstream agents access to destructive and privilege-changing capabilities they would not reasonably expect from the advertised skill, increasing the chance of unauthorized or accidental use.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This code performs remote state-changing operations through the aaPanel API, including creating/deleting databases, creating users, and granting/revoking privileges. In the context of a skill advertised mainly for monitoring and file management, these hidden administrative actions materially expand attack surface and could be abused to destroy data, create backdoor accounts, or escalate access on managed servers.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script explicitly provides firewall management capabilities even though the stated skill purpose is limited to monitoring, logs, cron jobs, and file operations. This scope expansion is dangerous because it enables security-policy changes on remote servers that a user or reviewer may not expect, increasing the chance of misuse or hidden administrative control.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code can add and remove whitelist/blacklist entries on a remote aaPanel instance via API calls, directly modifying network access controls. In the context of an agent skill, this is high risk because it can lock out administrators, silently allow attacker IPs, or disrupt service availability without the capability being justified by the declared purpose.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This script exposes site creation, deletion, and domain-management operations even though the skill is described as server monitoring and file management. In an agent context, capability drift is dangerous because a caller expecting read-oriented administration may unknowingly gain destructive control over hosted websites, enabling outage or unauthorized reconfiguration if the skill is invoked with attacker-chosen arguments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly states that server configurations and API tokens are stored in ~/.openclaw/bt-skills.yaml but does not instruct users to secure that file. Because these tokens grant administrative access to aaPanel instances, weak local file permissions, shared accounts, backups, or accidental disclosure could lead to unauthorized server management.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The keyword list contains broad terms like 'panel', 'file management', 'log reading', 'SSH', and 'database management' that can match common user intents and cause this powerful skill to be selected too easily. In context, overbroad triggering is especially dangerous because the skill supports destructive administrative actions well beyond passive monitoring.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation advertises destructive and security-sensitive actions—file deletion, permission changes, firewall modifications, SSL revocation, account/password management, and database/site deletion—without visible safety warnings, confirmation requirements, or scope restrictions. This normalizes high-risk operations and increases the likelihood of accidental or socially engineered misuse against production infrastructure.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The file exposes destructive operations such as deleting sites and deleting FTP users without any built-in confirmation, safety interlock, or dry-run support. In an agent-integrated skill, absence of friction for destructive actions increases the chance of accidental or unauthorized destructive changes, especially when combined with broad API access.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The client sends signed requests and may include sensitive values such as API tokens-derived authentication material and passwords for FTP operations over network requests, while SSL verification is configurable and can be disabled. In that context, the lack of enforced transport protections makes credential-bearing requests more exposed to interception or man-in-the-middle attacks if misconfigured.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The module writes sensitive aaPanel API tokens directly to disk in plaintext YAML, increasing the blast radius of any local compromise, backup leakage, or accidental file disclosure. In the context of a server-management skill, those tokens may grant broad remote administrative access, making local secret persistence materially dangerous.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This client exposes high-risk remote file primitives such as write, create, delete, and permission changes with no built-in confirmation, audit logging, policy checks, or path restrictions. In the context of an agent skill for aaPanel server management, these methods can directly modify production server files, making accidental misuse, prompt-injection-driven abuse, or unauthorized destructive actions more likely and harder to detect.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Dumping the entire config without masking sensitive values can expose aaPanel API tokens to any caller with access to the command output. Those tokens may enable unauthorized panel access, server management actions, and lateral movement if transcripts or logs are retained.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script collects and later emits the raw BT_CONFIG_PATH environment variable value in JSON/text output without redaction. Environment variables and filesystem paths can contain sensitive deployment details, usernames, mount locations, or secret-bearing filenames; in a server-management skill context, exposing configuration paths increases information disclosure risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The delete action invokes database deletion immediately based only on the provided name, with no confirmation prompt, dry-run mode, safeguard, or explicit warning. Because this script is designed for remote server administration, a typo, prompt-injection-induced command selection, or automation mistake could irreversibly delete a production database.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The rm command immediately deletes a remote file based solely on a supplied path and provides no interactive confirmation, force flag, preview, or guardrails. In an agent or automation context, a mistaken path, prompt injection, or parameter mix-up can cause irreversible deletion of important server files with little friction.

Missing User Warnings

High
Confidence
95% confidence
Finding
The rmdir command deletes a remote directory without any warning or confirmation, which is especially dangerous because directory removal can wipe entire application trees, websites, or data stores. In this skill context the command targets remote server content, so a single bad invocation could cause broad service disruption or permanent data loss.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal