Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Nginx Proxy Manager
v1.0.0Manage Nginx Proxy Manager (NPM) hosts, certificates, and access lists. Use when the user wants to add a new domain, point a domain to a server/port, enable SSL, or check the status of proxy hosts.
⭐ 2· 2.1k·5 current·6 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name/description and included Python client align with managing NPM via its REST API and therefore legitimately require an NPM URL and admin credentials. However, the registry metadata declares no required environment variables while SKILL.md and the script require NPM_URL, NPM_EMAIL, and NPM_PASSWORD. That registry omission is an inconsistency that reduces transparency and is a security concern.
Instruction Scope
SKILL.md limits actions to NPM API calls (listing hosts/certs, enabling/disabling, deleting). The included script only talks to the provided NPM_URL. However, the script reads/writes a token file at a fixed path (/root/.npm-token.json) that is not documented in SKILL.md, and will persist tokens to disk. Writing under /root is surprising and may be inappropriate if the agent is not intended to run as root.
Install Mechanism
There is no install spec (instruction-only plus an included .py script). No external downloads or package installs are performed. Risk is limited to executing the included script, which should be reviewed prior to use.
Credentials
The script legitimately needs NPM_URL, NPM_EMAIL, and NPM_PASSWORD to authenticate, but the skill registry did not declare these required env vars. Additionally, the script stores an auth token on disk in /root/.npm-token.json — a sensitive artifact. Requesting admin credentials is proportional for full admin tasks, but preserving them in an undocumented file and not declaring them in metadata is disproportionate to a transparent design.
Persistence & Privilege
always:false (good) and the skill doesn't request elevated platform privileges, but it creates persistent state by writing /root/.npm-token.json. Persisting tokens in /root increases the blast radius (token reuse, discovery by other processes, or exposure if backups are made). The skill also enables autonomous invocation by default (normal), which combined with stored credentials raises risk if the skill is later invoked without user supervision.
What to consider before installing
This skill appears to do what it says (manage Nginx Proxy Manager) but has some problematic choices you should consider before installing:
- Verify metadata: the registry didn't declare required env vars. SKILL.md and the script require NPM_URL, NPM_EMAIL, and NPM_PASSWORD — ensure you are comfortable providing those credentials.
- Prefer token-based or scoped credentials: instead of using a full admin password, create a scoped API token (if NPM supports it) to limit exposure.
- Review and/or change TOKEN_FILE: the script writes a token to /root/.npm-token.json (undocumented). If you install/run this, change TOKEN_FILE to a non-root path with strict permissions or remove on-exit persistence to avoid leaving credentials on disk.
- Run in a least-privilege context: run the script under a dedicated, limited user account, and ensure the agent runtime cannot expose disk content or network access beyond NPM.
- Confirm network targets: the script calls only NPM_URL; ensure that URL is the real admin endpoint you intend to manage and not a malicious redirect.
- Ask the author to update metadata and docs: the SKILL registry should declare required env vars and document the token file location and retention policy.
If you cannot verify or change these items, treat this skill cautiously (do not supply admin credentials to unknown or untrusted skills).Like a lobster shell, security has layers — review code before you run it.
latestvk971aq0b7hw71rfvy1xs3vecgh7zst53
License
MIT-0
Free to use, modify, and redistribute. No attribution required.