3x-ui-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill collects and instructs embedding sensitive secrets (provider root password, sudo password, panel username/password, private/public keys, and full VLESS links) directly into commands, API calls, and generated guide files—forcing the agent to output those secret values verbatim.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The list includes several safe local endpoints and reputable pages (claude.ai, 2ip.ru, XTLS org) but also directs users to execute code and download binaries from third‑party GitHub sources (notably a raw install.sh from an individual account and release artifacts/EXEs) and uses curl|bash-style installation patterns — a common malware distribution vector — so overall the set is moderately to highly suspicious.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly downloads and runs a public GitHub binary (RealiTLScanner) and instructs the agent to scan the VPS /24 and parse the scanner's output to choose a "best SNI" (Step 17A), which is untrusted, user-/third‑party content from arbitrary websites and directly influences VPN configuration and subsequent API actions (Step 18A), so it exposes the agent to indirect prompt‑injection from those third‑party results.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly downloads and executes remote install scripts/binaries at runtime (e.g., curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh -o /tmp/3x-ui-install.sh && sudo bash /tmp/3x-ui-install.sh), and similarly fetches/executes other remote tools (e.g., the RealiTLScanner release binary and curl https://get.acme.sh | sh), so external content directly executes code and is a required dependency for the skill.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs the agent/user to create non-root accounts, run numerous sudo commands, modify system files (sshd_config, sysctl, ufw rules, /etc), install services and disable root/password login — all actions that change the machine's state and require privileged access.