Skill Trust Decision
1panel
The skill is a legitimate 1Panel API client with no direct malicious code, but its SKILL.md severely under-reports exposed capabilities (exec_command, file write, SSH management, process kill) that are not declared in the documented command surface.
Most direct threat evidence
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
2 high-risk artifacts or egress signals were extracted.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
2 dependency or supply-chain issues need attention.
What drove the risk score up
Undeclared command execution +20
system.ts 'exec_command' tool executes arbitrary shell commands via 1Panel API, not declared in SKILL.md documented commands or capabilities list
Undeclared filesystem WRITE access +10
File save/delete/chmod/chown via 1Panel API not declared in SKILL.md command table
Undeclared credential management +10
SSH key generation/management, host credential storage (password/privateKey) not declared
SKILL.md command surface misleading +5
SKILL.md lists ~12 CLI commands but the underlying library exposes 200+ methods with system-level access, misleading users about actual scope
Most important evidence
Medium Doc Mismatch
Undeclared arbitrary command execution via 1Panel Terminal API
SKILL.md documents only 12 CLI commands (containers, images, websites, etc.), but the underlying tools layer exposes 'exec_command' which sends arbitrary shell commands to the 1Panel server via /api/v2/hosts/command. This is a fundamental system-level capability completely absent from SKILL.md.
src/tools/system.ts:17 Either remove exec_command from the tools layer or document it prominently in SKILL.md's command table with a warning about its destructive potential.
Medium Doc Mismatch
Undeclared filesystem write and delete operations
SKILL.md lists 'files <path>' as a read-only listing command, but the underlying FileAPI supports save(), delete(), chmod(), chown(), compress(), decompress() with no path restrictions. A compromised agent could overwrite system files, change permissions, or delete directories on the managed server.
src/api/files.ts:70 Document the full scope of file operations in SKILL.md or add guardrails to restrict paths to non-system directories.
Medium Doc Mismatch
Undeclared SSH credential and key management
SKILL.md does not mention SSH management at all. The host.ts tools expose creating hosts with password or privateKey credentials, generating SSH keys, and modifying SSH configurations. These are sensitive infrastructure operations not declared in the skill documentation.
src/tools/host.ts:3 Add SSH/host management to SKILL.md if intended, or restrict these tools from the exported skill interface.
Medium Doc Mismatch
Undeclared process kill capability
The 'kill_process' tool in system.ts can kill arbitrary processes by PID with no restrictions declared in SKILL.md. This could be used to disrupt services.
src/tools/system.ts:17 Document process management capabilities or remove kill_process from the exported tools.
Medium Doc Mismatch
SKILL.md claims 580+ API endpoints but CLI exposes ~12 commands
SKILL.md advertises '580+ API endpoints covering containers, databases, websites, SSL, file management, system monitoring, and more', implying broad access. However, the 1panel.mjs CLI only exposes ~12 commands. The gap between the library's 200+ methods and the CLI's documented surface creates a misleading impression of limited scope.
SKILL.md:1 Clarify the distinction between the CLI command surface and the full library API. The CLI commands should match what SKILL.md documents.
Low Supply Chain
Unpinned dependency versions in package.json
devDependencies use caret (^) version ranges: '@types/node': '^20.19.37', 'typescript': '^5.9.3'. This allows installing newer potentially vulnerable versions without review.
package.json:28 Pin exact versions (no ^) for devDependencies to ensure reproducible builds.
Low Doc Mismatch
OPENCLAW_INSTALL.md contains 'rm -rf ~' command
Line 175 of OPENCLAW_INSTALL.md shows 'rm -rf ~/.openclaw/skills/1panel' as an uninstall example. The use of '~' shell expansion in documentation is a dangerous pattern — if executed literally without shell expansion, it could resolve unexpectedly. Here it is documentation text, not executable code, so the risk is low.
OPENCLAW_INSTALL.md:175 Use full path '/root' or '$HOME' instead of '~' for clarity.
Low Priv Escalation
No input validation or path restrictions on file operations
File operations accept arbitrary paths with no validation to prevent access to system directories like /etc, /root, /home. Combined with undeclared WRITE access, this could allow modification of sensitive system files.
src/api/files.ts:30 Add path validation to restrict file operations to user-accessible directories.
Declared capability vs actual capability
Network Pass
Declared NONE
→ Inferred READ
ONEPANEL_HOST env var, BaseAPI makes HTTP requests to 1Panel server Filesystem Block
Declared NONE
→ Inferred WRITE
src/api/files.ts:FileAPI.save() — file write not declared in SKILL.md Shell Block
Declared NONE
→ Inferred WRITE
src/tools/system.ts:exec_command — arbitrary command execution via 1Panel Terminal API, not declared in SKILL.md Environment Pass
Declared NONE
→ Inferred READ
ONEPANEL_API_KEY, ONEPANEL_HOST, ONEPANEL_PORT, ONEPANEL_PROTOCOL read from env Skill Invoke Pass
Declared READ
→ Inferred READ
SKILL.md defines CLI commands Database Block
Declared NONE
→ Inferred WRITE
src/api/database.ts — create/delete/operate databases, not declared in SKILL.md Browser Pass
Declared NONE
→ Inferred NONE
No browser access found Clipboard Pass
Declared NONE
→ Inferred NONE
No clipboard access found Suspicious artifacts and egress
Critical Dangerous Command
rm -rf ~ OPENCLAW_INSTALL.md:175
High API Key
API_KEY="your-1panel-api-key" OPENCLAW_INSTALL.md:37
Medium External URL
https://img.shields.io/npm/v/1panel-skill.svg README.md:3
Medium External URL
https://www.npmjs.com/package/1panel-skill README.md:3
Medium External URL
https://img.shields.io/badge/License-MIT-yellow.svg README.md:4
Medium External URL
https://opensource.org/licenses/MIT README.md:4
Medium External URL
https://1panel.cn/ README.md:390
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| @types/node | ^20.19.37 | npm | No | Version not pinned, uses caret range |
| typescript | ^5.9.3 | npm | No | Version not pinned, uses caret range |
| none (runtime) | N/A | npm | No | Zero runtime dependencies — only Node.js standard library used |
File composition
89 files · 7826 lines
TypeScript 75 files · 5671 linesMarkdown 7 files · 1320 linesPython 3 files · 476 linesJavaScript 2 files · 286 linesJSON 2 files · 73 lines
Files of concern · 2
README.md https://img.shields.io/npm/v/1panel-skill.svg · https://www.npmjs.com/package/1panel-skill · https://img.shields.io/badge/License-MIT-yellow.svg · https://opensource.org/licenses/MIT · https://1panel.cn/
src/api/files.ts Undeclared filesystem write and delete operations · No input validation or path restrictions on file operations
Other files · client-advanced.ts · client.ts · website.ts · settings.ts · ai.ts · database.ts +4
Security positives
No direct shell execution on the host machine — all operations route through the 1Panel REST API
No obfuscation, base64-encoded payloads, or anti-analysis techniques detected
No credential harvesting beyond the ONEPANEL_API_KEY which is necessary for the service
No external network exfiltration or C2 communication — all requests target the configured 1Panel server
No reverse shell, backdoor, or persistence mechanisms found in the codebase
No hidden instructions in HTML comments or other steganographic patterns
Clean auth implementation using MD5(token,timestamp) signature, matching 1Panel's expected protocol
No malicious dependencies — package.json has zero runtime dependencies, only TypeScript dev tooling
No npm scripts that execute remote content (no curl|bash, wget|sh patterns)
Codebase is a well-structured TypeScript library, consistent with a legitimate API client