ClawHub
Back to skill

Security audit

Huo15 Baota Control

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real BT-Panel administration helper, but it handles powerful server credentials and broad remote admin access in ways users should review carefully before installing.

Install only if you are comfortable giving the skill broad BT-Panel administrative authority. Use a least-privilege token if possible, restrict IP allowlists tightly, avoid public tunnels as the only protection, rotate any token printed by the helper, and review or remove the raw endpoint and token-recovery scripts before using it on production servers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
Findings (14)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
elif a.cmd in ("site_stop", "site_start"):
        out = getattr(bt, a.cmd)(a.id, a.name)
    else:
        out = getattr(bt, a.cmd)()
    print(json.dumps(out, ensure_ascii=False, indent=2))
Confidence
94% confidence
Finding
out = getattr(bt, a.cmd)()

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill clearly performs network operations against remote BT-Panel HTTP APIs, yet no declared permissions are documented. This creates a transparency and policy-enforcement gap: users and hosting systems may not realize the skill can reach external servers and perform administrative actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose focuses on panel-based operations, but the referenced tooling reportedly can also enable the BT API, alter API whitelist settings, and decrypt/expose plaintext tokens. Those capabilities materially expand the trust boundary and allow credential exposure and security-control weakening beyond ordinary panel management.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documentation explicitly exposes file read, file write, and directory listing API endpoints, which materially expands the skill from BT-Panel operational management into arbitrary filesystem access. In the context of a server administration skill with stored panel credentials, this can enable reading secrets, modifying web content or configs, and staging further compromise if an agent is induced to use these endpoints.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The note that arbitrary shell commands should be executed via SSH encourages operators or downstream agents to pivot from the BT-Panel API skill into unrestricted command execution. Even though it is phrased as a limitation of the API, it broadens the effective capability model of the skill and can normalize escalation to a far more dangerous control channel.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code comment says high-level wrappers are read-mostly and that write operations require explicit calls, but the 'raw' command bypasses that boundary and can invoke any BT-Panel endpoint with arbitrary parameters. In a server-administration skill backed by real panel credentials, this effectively exposes full panel API authority, including destructive or persistence-establishing actions, while presenting a narrower trust model to users and reviewers.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest and CLI help suggest a bounded set of operational functions, but the implementation also exposes unrestricted arbitrary BT-Panel API invocation through the raw path. This mismatch is security-relevant because users, integrators, or policy layers may permit the skill assuming limited capabilities, while it actually grants a much broader administrative surface over websites, databases, SSL, tasks, Docker, and potentially other panel functions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script retrieves the BT-Panel API configuration and deliberately outputs the API token in plaintext, including decrypting it when stored encrypted. This creates a credential-recovery primitive that can expose administrative panel access to any caller or logging sink, which is especially dangerous because the skill is designed for remote server administration across multiple panels.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are very broad, including generic ops-related language such as '管一下服务器' and 'bt panel', which can cause accidental invocation. In a skill that can stop sites, manage databases, renew certificates, and call arbitrary endpoints, unintended activation raises the chance of dangerous or irreversible actions being performed in the wrong context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to store a plaintext BT-Panel API token in ~/.huo15/baota.json and even notes that the token is the 'only defense' for a publicly reachable tunnel. Without strong warnings and compensating controls, plaintext credential storage materially increases the risk of token theft leading to full remote panel administration.

Missing User Warnings

High
Confidence
99% confidence
Finding
The HTTPS client disables both certificate validation and hostname verification, which allows a man-in-the-middle attacker to impersonate the BT-Panel server and intercept or alter all API traffic. Because this skill uses privileged panel credentials and performs administrative actions on servers, a network attacker could steal auth material, falsify monitoring results, or trigger unauthorized operational changes.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script silently enables the BT-Panel API, modifies the whitelist, and then emits the token without any confirmation, audit prompt, or operator disclosure. This changes the server's security posture and can expand remote administrative access, making compromise easier if the whitelist is broadened or the output is captured.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code directly accesses stored API credentials and decrypts them via panel internals, then returns the plaintext value to stdout. Even if intended for setup convenience, this bypasses normal secret-handling boundaries and risks leaking credentials through terminal history, process capture, orchestration logs, or downstream tools.

YARA rule 'backdoor_persistence': Backdoor persistence with malicious payloads (shell commands, SSH key injection, hidden root users) [malware]

High
Category
YARA Match
Content
crontab  -> [续签Let's Encrypt证书, ...]         ✅ 通用 raw 调用
sites    -> [](gjb-ssh 的服务都是 docker,非宝塔站)✅
```
Confidence
75% confidence
Finding
crontab -> [续签Let's Enc

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal