Skills
skills/openclaw/skills/3x-ui-setup/Gen Agent Trust Hub

3x-ui-setup

Fail

Audited by Gen Agent Trust Hub on Mar 17, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill downloads and executes code from third-party repositories not included in the trusted vendors list.
  • Evidence: Fetches the 3x-ui installer from 'https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh' and executes it via 'sudo bash' in SKILL.md.
  • Evidence: Downloads the acme.sh script from 'https://get.acme.sh' and pipes it to 'sh' in references/vless-tls.md.
  • Evidence: Downloads a pre-compiled binary 'RealiTLScanner' from 'https://github.com/XTLS/RealiTLScanner/releases/latest/download/RealiTLScanner-linux-${SA}', grants execution permissions, and runs it with root privileges in SKILL.md.
  • [COMMAND_EXECUTION]: The skill makes extensive use of 'sudo' to perform destructive or high-privilege system operations.
  • Evidence: Modifies core system configuration files including '/etc/ssh/sshd_config' and '/etc/sysctl.d/99-security.conf'.
  • Evidence: Executes dynamic Python code using 'python3 -c' to process data retrieved from local API endpoints in SKILL.md and references/vless-tls.md.
  • [CREDENTIALS_UNSAFE]: The skill manages and stores sensitive credentials in insecure ways.
  • Evidence: Generates and displays sudo passwords and 3x-ui panel credentials.
  • Evidence: Creates a 'vpn-guide.md' file on the local file system containing the server IP, username, sudo password, and VPN connection links in plain text.
  • [PROMPT_INJECTION]: The skill contains patterns that facilitate multi-step chain indirect injections.
  • Ingestion points: Processes output from 'ifconfig.me', local 3x-ui API responses, and subnet scan results from an external binary.
  • Boundary markers: No explicit boundary markers or 'ignore' instructions are used when processing external data.
  • Capability inventory: Full bash command execution, file-writing via 'tee', and network operations via 'curl' and 'scp'.
  • Sanitization: No significant sanitization is performed on external data before it is used in command arguments or output to the user.
  • Evidence: Step 22 includes a 'Instructions for Claude Code' block intended to be copy-pasted into another agent session to automate further high-privilege tasks.
  • [DATA_EXFILTRATION]: The skill transmits the server's public IP address to an external service.
  • Evidence: Uses 'curl -4 -s ifconfig.me' to retrieve the server's external IP address.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh, https://127.0.0.1:${PANEL_PORT}/{web_base_path}/panel/api/inbounds/list, https://github.com/XTLS/RealiTLScanner/releases/latest/download/RealiTLScanner-linux-${SA} - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 17, 2026, 10:55 AM