3x-ui-setup
Fail
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill executes a remote script from
https://get.acme.shby piping it directly intosh. This is a dangerous pattern that allows a remote server to execute arbitrary code on the system. - [EXTERNAL_DOWNLOADS] (HIGH): Multiple scripts and binaries are downloaded from unverified GitHub repositories (
mhsanaei/3x-uiandXTLS/RealiTLScanner) and executed. These sources are not on the trusted list, posing a significant supply-chain risk. - [CREDENTIALS_UNSAFE] (HIGH): Administrative credentials, including the panel username and password, are passed as plaintext arguments in
sshcommands andcurlrequests. These credentials can be captured from process monitoring tools (likeps) or found in the user's shell history. - [COMMAND_EXECUTION] (MEDIUM): The skill makes extensive use of
sudoto perform high-privilege system modifications, such as editing Nginx configuration files, managing system services, and modifying crontabs for persistence.
Recommendations
- HIGH: Downloads and executes remote code from: https://127.0.0.1:${PANEL_PORT}/{web_base_path}/panel/api/inbounds/list, https://github.com/XTLS/RealiTLScanner/releases/latest/download/RealiTLScanner-linux-${SA}, https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata