1panel Security Report — Suspicious | ClawSafe

45 /100

1panel

Comprehensive 1Panel server management skill for AI agents — 580+ API endpoints

The skill is a legitimate 1Panel API client with no direct malicious code, but its SKILL.md severely under-reports exposed capabilities (exec_command, file write, SSH management, process kill) that are not declared in the documented command surface.

Skill Name1panel

Duration99.4s

Enginepi

⚠

Use with caution

Add exec_command, file write/delete, SSH key management, process kill, and host management to SKILL.md if they are intended features. If these capabilities are unintentional leakage from the underlying API library, restrict the CLI entry point to only the documented commands.

Findings 8 items

Severity	Finding	Location
Medium	Undeclared arbitrary command execution via 1Panel Terminal API Doc Mismatch SKILL.md documents only 12 CLI commands (containers, images, websites, etc.), but the underlying tools layer exposes 'exec_command' which sends arbitrary shell commands to the 1Panel server via /api/v2/hosts/command. This is a fundamental system-level capability completely absent from SKILL.md. `case "exec_command": return await client.execCommand(args?.command, args?.cwd);` → Either remove exec_command from the tools layer or document it prominently in SKILL.md's command table with a warning about its destructive potential.	`src/tools/system.ts:17`
Medium	Undeclared filesystem write and delete operations Doc Mismatch SKILL.md lists 'files <path>' as a read-only listing command, but the underlying FileAPI supports save(), delete(), chmod(), chown(), compress(), decompress() with no path restrictions. A compromised agent could overwrite system files, change permissions, or delete directories on the managed server. `async save(path: string, content: string): Promise<any> { return this.post('/api/v2/files/save', { path, content }); }` → Document the full scope of file operations in SKILL.md or add guardrails to restrict paths to non-system directories.	`src/api/files.ts:70`
Medium	Undeclared SSH credential and key management Doc Mismatch SKILL.md does not mention SSH management at all. The host.ts tools expose creating hosts with password or privateKey credentials, generating SSH keys, and modifying SSH configurations. These are sensitive infrastructure operations not declared in the skill documentation. `{ name: 'create_host', description: 'Create host', inputSchema: { properties: { password: { type: 'string' }, privateKey: { type: 'string' } } }` → Add SSH/host management to SKILL.md if intended, or restrict these tools from the exported skill interface.	`src/tools/host.ts:3`
Medium	Undeclared process kill capability Doc Mismatch The 'kill_process' tool in system.ts can kill arbitrary processes by PID with no restrictions declared in SKILL.md. This could be used to disrupt services. `case "kill_process": return await client.killProcess(args?.pid);` → Document process management capabilities or remove kill_process from the exported tools.	`src/tools/system.ts:17`
Medium	SKILL.md claims 580+ API endpoints but CLI exposes ~12 commands Doc Mismatch SKILL.md advertises '580+ API endpoints covering containers, databases, websites, SSL, file management, system monitoring, and more', implying broad access. However, the 1panel.mjs CLI only exposes ~12 commands. The gap between the library's 200+ methods and the CLI's documented surface creates a misleading impression of limited scope. `Full access to 580+ API endpoints covering containers, databases, websites, SSL, file management, system monitoring, and more.` → Clarify the distinction between the CLI command surface and the full library API. The CLI commands should match what SKILL.md documents.	`SKILL.md:1`
Low	Unpinned dependency versions in package.json Supply Chain devDependencies use caret (^) version ranges: '@types/node': '^20.19.37', 'typescript': '^5.9.3'. This allows installing newer potentially vulnerable versions without review. `"@types/node": "^20.19.37"` → Pin exact versions (no ^) for devDependencies to ensure reproducible builds.	`package.json:28`
Low	OPENCLAW_INSTALL.md contains 'rm -rf ~' command Doc Mismatch Line 175 of OPENCLAW_INSTALL.md shows 'rm -rf ~/.openclaw/skills/1panel' as an uninstall example. The use of '~' shell expansion in documentation is a dangerous pattern — if executed literally without shell expansion, it could resolve unexpectedly. Here it is documentation text, not executable code, so the risk is low. `rm -rf ~/.openclaw/skills/1panel` → Use full path '/root' or '$HOME' instead of '~' for clarity.	`OPENCLAW_INSTALL.md:175`
Low	No input validation or path restrictions on file operations Priv Escalation File operations accept arbitrary paths with no validation to prevent access to system directories like /etc, /root, /home. Combined with undeclared WRITE access, this could allow modification of sensitive system files. `async getContent(path: string): Promise<any> { return this.post('/api/v2/files/content', { path }); }` → Add path validation to restrict file operations to user-accessible directories.	`src/api/files.ts:30`

Resource	Declared	Inferred	Status	Evidence
Network	`NONE`	`READ`	✓ Aligned	ONEPANEL_HOST env var, BaseAPI makes HTTP requests to 1Panel server
Filesystem	`NONE`	`WRITE`	✗ Violation	src/api/files.ts:FileAPI.save() — file write not declared in SKILL.md
Shell	`NONE`	`WRITE`	✗ Violation	src/tools/system.ts:exec_command — arbitrary command execution via 1Panel Termin…
Environment	`NONE`	`READ`	✓ Aligned	ONEPANEL_API_KEY, ONEPANEL_HOST, ONEPANEL_PORT, ONEPANEL_PROTOCOL read from env
Skill Invoke	`READ`	`READ`	✓ Aligned	SKILL.md defines CLI commands
Database	`NONE`	`WRITE`	✗ Violation	src/api/database.ts — create/delete/operate databases, not declared in SKILL.md
Browser	`NONE`	`NONE`	—	No browser access found
Clipboard	`NONE`	`NONE`	—	No clipboard access found

1 Critical 1 High 7 findings

💀

Critical Dangerous Command 危险 Shell 命令

rm -rf ~

OPENCLAW_INSTALL.md:175

🔑

High API Key 疑似硬编码凭证

API_KEY="your-1panel-api-key"

OPENCLAW_INSTALL.md:37

🔗

Medium External URL 外部 URL

https://img.shields.io/npm/v/1panel-skill.svg

README.md:3

🔗

Medium External URL 外部 URL

https://www.npmjs.com/package/1panel-skill

README.md:3

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README.md:4

🔗

Medium External URL 外部 URL

https://opensource.org/licenses/MIT

README.md:4

🔗

Medium External URL 外部 URL

https://1panel.cn/

README.md:390

File Tree

89 files · 274.5 KB · 7826 lines

TypeScript 75f · 5671L Markdown 7f · 1320L Python 3f · 476L JavaScript 2f · 286L JSON 2f · 73L

├─ ▾ 📁 scripts

│ ├─ 📜 1panel.mjs JavaScript 129L · 4.0 KB

│ ├─ 🐍 generate_all_apis_fixed.py Python 156L · 5.1 KB

│ ├─ 🐍 generate_all_apis.py Python 180L · 6.0 KB

│ ├─ 🐍 generate_apis.py Python 140L · 4.6 KB

│ └─ 📜 generate-api.cjs JavaScript 157L · 4.1 KB

├─ ▾ 📁 src

│ ├─ ▾ 📁 api

│ │ ├─ 📜 ai.ts TypeScript 222L · 6.7 KB

│ │ ├─ 📜 apps.ts TypeScript 164L · 4.8 KB

│ │ ├─ 📜 backup.ts TypeScript 19L · 529 B

│ │ ├─ 📜 backupaccount.ts TypeScript 137L · 3.9 KB

│ │ ├─ 📜 base.ts TypeScript 39L · 1.1 KB

│ │ ├─ 📜 clam.ts TypeScript 76L · 2.1 KB

│ │ ├─ 📜 composes.ts TypeScript 43L · 1.3 KB

│ │ ├─ 📜 container.ts TypeScript 101L · 2.9 KB

│ │ ├─ 📜 cronjobs.ts TypeScript 96L · 2.6 KB

│ │ ├─ 📜 dashboard.ts TypeScript 92L · 2.6 KB

│ │ ├─ 📜 database.ts TypeScript 227L · 6.8 KB

│ │ ├─ 📜 device.ts TypeScript 60L · 1.6 KB

│ │ ├─ 📜 disk.ts TypeScript 52L · 1.0 KB

│ │ ├─ 📜 fail2ban.ts TypeScript 80L · 1.9 KB

│ │ ├─ 📜 file.ts TypeScript 241L · 4.9 KB

│ │ ├─ 📜 files.ts TypeScript 277L · 7.1 KB

│ │ ├─ 📜 firewall.ts TypeScript 91L · 2.7 KB

│ │ ├─ 📜 ftp.ts TypeScript 93L · 1.9 KB

│ │ ├─ 📜 gpu.ts TypeScript 17L · 386 B

│ │ ├─ 📜 host.ts TypeScript 166L · 4.1 KB

│ │ ├─ 📜 images.ts TypeScript 43L · 1.3 KB

│ │ ├─ 📜 index.ts TypeScript 60L · 1.7 KB

│ │ ├─ 📜 logs.ts TypeScript 44L · 1.2 KB

│ │ ├─ 📜 monitor.ts TypeScript 44L · 1.1 KB

│ │ ├─ 📜 networks.ts TypeScript 19L · 545 B

│ │ ├─ 📜 node.ts TypeScript 24L · 610 B

│ │ ├─ 📜 ollama.ts TypeScript 52L · 1.1 KB

│ │ ├─ 📜 openresty.ts TypeScript 59L · 1.3 KB

│ │ ├─ 📜 php.ts TypeScript 66L · 1.7 KB

│ │ ├─ 📜 process.ts TypeScript 52L · 1.4 KB

│ │ ├─ 📜 recyclebin.ts TypeScript 31L · 677 B

│ │ ├─ 📜 runtime.ts TypeScript 171L · 5.0 KB

│ │ ├─ 📜 settings.ts TypeScript 291L · 8.2 KB

│ │ ├─ 📜 snapshot.ts TypeScript 71L · 2.0 KB

│ │ ├─ 📜 ssh.ts TypeScript 96L · 2.6 KB

│ │ ├─ 📜 system.ts TypeScript 11L · 278 B

│ │ ├─ 📜 task.ts TypeScript 17L · 388 B

│ │ ├─ 📜 terminal.ts TypeScript 21L · 586 B

│ │ ├─ 📜 volumes.ts TypeScript 19L · 513 B

│ │ └─ 📜 website.ts TypeScript 528L · 14.8 KB

│ ├─ ▾ 📁 tools

│ │ ├─ 📜 ai.ts TypeScript 69L · 7.5 KB

│ │ ├─ 📜 app.ts TypeScript 18L · 1.1 KB

│ │ ├─ 📜 backup.ts TypeScript 31L · 3.3 KB

│ │ ├─ 📜 clam.ts TypeScript 30L · 2.6 KB

│ │ ├─ 📜 compose.ts TypeScript 28L · 2.4 KB

│ │ ├─ 📜 container.ts TypeScript 54L · 5.6 KB

│ │ ├─ 📜 cronjob.ts TypeScript 14L · 785 B

│ │ ├─ 📜 database.ts TypeScript 54L · 6.8 KB

│ │ ├─ 📜 device.ts TypeScript 22L · 1.8 KB

│ │ ├─ 📜 disk.ts TypeScript 18L · 1.3 KB

│ │ ├─ 📜 fail2ban.ts TypeScript 22L · 2.0 KB

│ │ ├─ 📜 file.ts TypeScript 44L · 5.0 KB

│ │ ├─ 📜 firewall.ts TypeScript 14L · 859 B

│ │ ├─ 📜 ftp.ts TypeScript 24L · 2.0 KB

│ │ ├─ 📜 gpu.ts TypeScript 12L · 599 B

│ │ ├─ 📜 host.ts TypeScript 48L · 5.3 KB

│ │ ├─ 📜 image.ts TypeScript 28L · 2.3 KB

│ │ ├─ 📜 index.ts TypeScript 30L · 879 B

│ │ ├─ 📜 network.ts TypeScript 14L · 830 B

│ │ ├─ 📜 node.ts TypeScript 14L · 1022 B

│ │ ├─ 📜 ollama.ts TypeScript 22L · 1.8 KB

│ │ ├─ 📜 openresty.ts TypeScript 24L · 2.1 KB

│ │ ├─ 📜 php.ts TypeScript 25L · 2.6 KB

│ │ ├─ 📜 recyclebin.ts TypeScript 16L · 1002 B

│ │ ├─ 📜 runtime.ts TypeScript 14L · 1006 B

│ │ ├─ 📜 snapshot.ts TypeScript 24L · 2.3 KB

│ │ ├─ 📜 system.ts TypeScript 46L · 4.1 KB

│ │ ├─ 📜 task.ts TypeScript 12L · 540 B

│ │ ├─ 📜 volume.ts TypeScript 14L · 774 B

│ │ └─ 📜 website.ts TypeScript 56L · 6.5 KB

│ ├─ ▾ 📁 types

│ │ └─ 📜 config.ts TypeScript 6L · 107 B

│ ├─ ▾ 📁 utils

│ │ └─ 📜 auth.ts TypeScript 9L · 316 B

│ ├─ 📜 client-advanced.ts TypeScript 393L · 15.9 KB

│ ├─ 📜 client.ts TypeScript 393L · 15.9 KB

│ └─ 📜 index.ts TypeScript 17L · 371 B

├─ 📝 API_COVERAGE_FINAL.md Markdown 152L · 4.4 KB

├─ 📝 API_COVERAGE_REPORT.md Markdown 197L · 5.8 KB

├─ 📝 IMPLEMENTATION_PLAN.md Markdown 134L · 3.0 KB

├─ 📝 OPENCLAW_INSTALL.md Markdown 176L · 3.5 KB

├─ 📋 package.json JSON 49L · 1.0 KB

├─ 📝 PROGRESS.md Markdown 95L · 2.3 KB

├─ 📝 README.md Markdown 390L · 9.0 KB

├─ 📝 SKILL.md Markdown 176L · 4.0 KB

└─ 📋 tsconfig.json JSON 24L · 619 B

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`@types/node`	`^20.19.37`	npm	No	Version not pinned, uses caret range
`typescript`	`^5.9.3`	npm	No	Version not pinned, uses caret range
`none (runtime)`	`N/A`	npm	No	Zero runtime dependencies — only Node.js standard library used

Security Positives

✓ No direct shell execution on the host machine — all operations route through the 1Panel REST API

✓ No obfuscation, base64-encoded payloads, or anti-analysis techniques detected

✓ No credential harvesting beyond the ONEPANEL_API_KEY which is necessary for the service

✓ No external network exfiltration or C2 communication — all requests target the configured 1Panel server

✓ No reverse shell, backdoor, or persistence mechanisms found in the codebase

✓ No hidden instructions in HTML comments or other steganographic patterns

✓ Clean auth implementation using MD5(token,timestamp) signature, matching 1Panel's expected protocol

✓ No malicious dependencies — package.json has zero runtime dependencies, only TypeScript dev tooling

✓ No npm scripts that execute remote content (no curl|bash, wget|sh patterns)

✓ Codebase is a well-structured TypeScript library, consistent with a legitimate API client

Scan Report

Findings 8 items

File Tree

Dependencies 3 items

Security Positives