安全决策报告
1panel
The skill is a legitimate 1Panel API client with no direct malicious code, but its SKILL.md severely under-reports exposed capabilities (exec_command, file write, SSH management, process kill) that are not declared in the documented command surface.
最直接的威胁证据
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 2 个高危 IOC 或外联信号。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
发现 2 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Undeclared command execution +20
system.ts 'exec_command' tool executes arbitrary shell commands via 1Panel API, not declared in SKILL.md documented commands or capabilities list
Undeclared filesystem WRITE access +10
File save/delete/chmod/chown via 1Panel API not declared in SKILL.md command table
Undeclared credential management +10
SSH key generation/management, host credential storage (password/privateKey) not declared
SKILL.md command surface misleading +5
SKILL.md lists ~12 CLI commands but the underlying library exposes 200+ methods with system-level access, misleading users about actual scope
最关键的证据
中危 文档欺骗
Undeclared arbitrary command execution via 1Panel Terminal API
SKILL.md documents only 12 CLI commands (containers, images, websites, etc.), but the underlying tools layer exposes 'exec_command' which sends arbitrary shell commands to the 1Panel server via /api/v2/hosts/command. This is a fundamental system-level capability completely absent from SKILL.md.
src/tools/system.ts:17 Either remove exec_command from the tools layer or document it prominently in SKILL.md's command table with a warning about its destructive potential.
中危 文档欺骗
Undeclared filesystem write and delete operations
SKILL.md lists 'files <path>' as a read-only listing command, but the underlying FileAPI supports save(), delete(), chmod(), chown(), compress(), decompress() with no path restrictions. A compromised agent could overwrite system files, change permissions, or delete directories on the managed server.
src/api/files.ts:70 Document the full scope of file operations in SKILL.md or add guardrails to restrict paths to non-system directories.
中危 文档欺骗
Undeclared SSH credential and key management
SKILL.md does not mention SSH management at all. The host.ts tools expose creating hosts with password or privateKey credentials, generating SSH keys, and modifying SSH configurations. These are sensitive infrastructure operations not declared in the skill documentation.
src/tools/host.ts:3 Add SSH/host management to SKILL.md if intended, or restrict these tools from the exported skill interface.
中危 文档欺骗
Undeclared process kill capability
The 'kill_process' tool in system.ts can kill arbitrary processes by PID with no restrictions declared in SKILL.md. This could be used to disrupt services.
src/tools/system.ts:17 Document process management capabilities or remove kill_process from the exported tools.
中危 文档欺骗
SKILL.md claims 580+ API endpoints but CLI exposes ~12 commands
SKILL.md advertises '580+ API endpoints covering containers, databases, websites, SSL, file management, system monitoring, and more', implying broad access. However, the 1panel.mjs CLI only exposes ~12 commands. The gap between the library's 200+ methods and the CLI's documented surface creates a misleading impression of limited scope.
SKILL.md:1 Clarify the distinction between the CLI command surface and the full library API. The CLI commands should match what SKILL.md documents.
低危 供应链
Unpinned dependency versions in package.json
devDependencies use caret (^) version ranges: '@types/node': '^20.19.37', 'typescript': '^5.9.3'. This allows installing newer potentially vulnerable versions without review.
package.json:28 Pin exact versions (no ^) for devDependencies to ensure reproducible builds.
低危 文档欺骗
OPENCLAW_INSTALL.md contains 'rm -rf ~' command
Line 175 of OPENCLAW_INSTALL.md shows 'rm -rf ~/.openclaw/skills/1panel' as an uninstall example. The use of '~' shell expansion in documentation is a dangerous pattern — if executed literally without shell expansion, it could resolve unexpectedly. Here it is documentation text, not executable code, so the risk is low.
OPENCLAW_INSTALL.md:175 Use full path '/root' or '$HOME' instead of '~' for clarity.
低危 权限提升
No input validation or path restrictions on file operations
File operations accept arbitrary paths with no validation to prevent access to system directories like /etc, /root, /home. Combined with undeclared WRITE access, this could allow modification of sensitive system files.
src/api/files.ts:30 Add path validation to restrict file operations to user-accessible directories.
声明能力 vs 实际能力
网络访问 通过
声明 NONE
→ 推断 READ
ONEPANEL_HOST env var, BaseAPI makes HTTP requests to 1Panel server 文件系统 阻止
声明 NONE
→ 推断 WRITE
src/api/files.ts:FileAPI.save() — file write not declared in SKILL.md 命令执行 阻止
声明 NONE
→ 推断 WRITE
src/tools/system.ts:exec_command — arbitrary command execution via 1Panel Terminal API, not declared in SKILL.md 环境变量 通过
声明 NONE
→ 推断 READ
ONEPANEL_API_KEY, ONEPANEL_HOST, ONEPANEL_PORT, ONEPANEL_PROTOCOL read from env 技能调用 通过
声明 READ
→ 推断 READ
SKILL.md defines CLI commands 数据库 阻止
声明 NONE
→ 推断 WRITE
src/api/database.ts — create/delete/operate databases, not declared in SKILL.md 浏览器 通过
声明 NONE
→ 推断 NONE
No browser access found 剪贴板 通过
声明 NONE
→ 推断 NONE
No clipboard access found 可疑产物与外联
严重 危险命令
rm -rf ~ OPENCLAW_INSTALL.md:175
高危 API 密钥
API_KEY="your-1panel-api-key" OPENCLAW_INSTALL.md:37
中危 外部 URL
https://img.shields.io/npm/v/1panel-skill.svg README.md:3
中危 外部 URL
https://www.npmjs.com/package/1panel-skill README.md:3
中危 外部 URL
https://img.shields.io/badge/License-MIT-yellow.svg README.md:4
中危 外部 URL
https://opensource.org/licenses/MIT README.md:4
中危 外部 URL
https://1panel.cn/ README.md:390
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| @types/node | ^20.19.37 | npm | 否 | Version not pinned, uses caret range |
| typescript | ^5.9.3 | npm | 否 | Version not pinned, uses caret range |
| none (runtime) | N/A | npm | 否 | Zero runtime dependencies — only Node.js standard library used |
文件构成
89 个文件 · 7826 行
TypeScript 75 个文件 · 5671 行Markdown 7 个文件 · 1320 行Python 3 个文件 · 476 行JavaScript 2 个文件 · 286 行JSON 2 个文件 · 73 行
需关注文件 · 2
README.md https://img.shields.io/npm/v/1panel-skill.svg · https://www.npmjs.com/package/1panel-skill · https://img.shields.io/badge/License-MIT-yellow.svg · https://opensource.org/licenses/MIT · https://1panel.cn/
src/api/files.ts Undeclared filesystem write and delete operations · No input validation or path restrictions on file operations
其他文件 · client-advanced.ts · client.ts · website.ts · settings.ts · ai.ts · database.ts +4
安全亮点
No direct shell execution on the host machine — all operations route through the 1Panel REST API
No obfuscation, base64-encoded payloads, or anti-analysis techniques detected
No credential harvesting beyond the ONEPANEL_API_KEY which is necessary for the service
No external network exfiltration or C2 communication — all requests target the configured 1Panel server
No reverse shell, backdoor, or persistence mechanisms found in the codebase
No hidden instructions in HTML comments or other steganographic patterns
Clean auth implementation using MD5(token,timestamp) signature, matching 1Panel's expected protocol
No malicious dependencies — package.json has zero runtime dependencies, only TypeScript dev tooling
No npm scripts that execute remote content (no curl|bash, wget|sh patterns)
Codebase is a well-structured TypeScript library, consistent with a legitimate API client