3x-ui-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill collects and instructs embedding sensitive secrets (provider root password, sudo password, panel username/password, private/public keys, and full VLESS links) directly into commands, API calls, and generated guide files—forcing the agent to output those secret values verbatim.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The list includes direct downloads of executable scripts/binaries from individual or lesser-known GitHub users (raw install.sh, RealiTLScanner binary) which are high-risk if run without review, alongside some benign/local URLs (127.0.0.1 endpoints, claude.ai, hiddify releases, 2ip.ru); because arbitrary shell scripts and release binaries from unvetted sources are common malware vectors the overall risk is moderate–high.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill downloads and runs binaries/scripts from public GitHub URLs (e.g., the 3x-ui install script in Step 14 and the RealiTLScanner binary in Step 17A) and instructs the agent to read scanner output (neighboring domains/SNI) and use those results to configure the VPN, so it clearly ingests and acts on untrusted, public third‑party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly downloads and executes remote code at runtime (required for operation) — e.g., https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh is fetched and run via bash, the RealiTLScanner binary is downloaded from https://github.com/XTLS/RealiTLScanner/releases/latest/download/... and executed, and the vless-tls path even suggests curl https://get.acme.sh | sh; these are runtime external dependencies that execute remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs the agent/user to create non-root accounts, run numerous sudo commands, modify system files (sshd_config, sysctl, ufw rules, /etc), install services and disable root/password login — all actions that change the machine's state and require privileged access.