3x-ui-setup

[Skill Scanner] URL pointing to executable file detected All findings: [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Instruction to copy/paste content into terminal detected (CI012) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] [HIGH] data_exfiltration: Remote file transfer via SSH/SCP/SFTP/rsync detected (NW001) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Remote file transfer via SSH/SCP/SFTP/rsync detected (NW001) [AITech 8.2.3] [HIGH] hardcoded_secrets: Generic secret pattern detected (HS005) [AITech 8.2] [HIGH] data_exfiltration: Remote file transfer via SSH/SCP/SFTP/rsync detected (NW001) [AITech 8.2.3] [HIGH] command_injection: Multi-step download-and-execute pattern detected (CI007) [AITech 9.1.4] [HIGH] command_injection: Multi-step download-and-execute pattern detected (CI007) [AITech 9.1.4] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] [HIGH] data_exfiltration: Remote file transfer via SSH/SCP/SFTP/rsync detected (NW001) [AITech 8.2.3] [HIGH] data_exfiltration: Remote file transfer via SSH/SCP/SFTP/rsync detected (NW001) [AITech 8.2.3] [HIGH] data_exfiltration: Remote file transfer via SSH/SCP/SFTP/rsync detected (NW001) [AITech 8.2.3] [HIGH] data_exfiltration: Remote file transfer via SSH/SCP/SFTP/rsync detected (NW001) [AITech 8.2.3] [HIGH] data_exfiltration: Remote file transfer via SSH/SCP/SFTP/rsync detected (NW001) [AITech 8.2.3] [HIGH] data_exfiltration: Remote file transfer via SSH/SCP/SFTP/rsync detected (NW001) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Remote file transfer via SSH/SCP/SFTP/rsync detected (NW001) [AITech 8.2.3] [HIGH] data_exfiltration: Remote file transfer via SSH/SCP/SFTP/rsync detected (NW001) [AITech 8.2.3] [HIGH] data_exfiltration: Remote file transfer via SSH/SCP/SFTP/rsync detected (NW001) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Remote file transfer via SSH/SCP/SFTP/rsync detected (NW001) [AITech 8.2.3] [HIGH] data_exfiltration: Remote file transfer via SSH/SCP/SFTP/rsync detected (NW001) [AITech 8.2.3] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Remote file transfer via SSH/SCP/SFTP/rsync detected (NW001) [AITech 8.2.3] [HIGH] data_exfiltration: Remote file transfer via SSH/SCP/SFTP/rsync detected (NW001) [AITech 8.2.3] The material is coherent as a step-by-step deployment and hardening guide for a VPN proxy stack, but it exhibits several high-risk patterns (download-execute of external binaries, potential credential exposure, deferred security controls) that are not fully mitigated by secure-education patterns. Given the combination of supply-chain risk (external binaries), credential handling, and remote execution flows, the overall risk is Suspicious to High. It should be treated as risky pending stronger verification (pinned hashes/signatures for all downloads, in-script credential handling safeguards, and removal of deferred lockdown steps or explicit gating with user confirmation). LLM verification: The skill is coherent with its stated goal (deploying a VPN server with 3x-ui) but exhibits high-risk patterns: unpinned/remote script installations, credential exposure in logs/docs, and complex SSH-based workflows with deferred security hardening. These patterns constitute a suspicious-to-high-risk footprint in supply-chain security. To improve security posture, require code-signing/hash verification for all installers, remove or harden deferred steps (lockdown and fail2ban earlier with safe f