clashctl-linux

No direct malware (e.g., exfiltration, remote command execution, credential theft) is evident in this fragment. However, the script has significant supply-chain and operational risk: it executes multiple locally sourced shell scripts (including one path derived from `.env`) and performs an unguarded `rm -rf` on a directory determined by imported configuration. If `.env` or any sourced script is tampered with, the uninstall could execute arbitrary code and/or delete unintended filesystem paths.

This wrapper appears to be a typical installer/initializer for a Clash-related component: it copies a payload into a target directory, creates/merges configuration, installs/activates system service/rc state, starts UI/control, sets a generated secret, and activates a local config via clashsub. No overt malicious behavior is visible in the fragment itself (no explicit exfiltration/backdoor/credential theft or obfuscation), but the most consequential logic is hidden in dot-sourced helper scripts and in functions handling secrets, service installation, and command dispatch. Additionally, it recursively copies the entire current directory into the deployed location, which can amplify the impact of any unintended artifacts. Review the sourced scripts (especially service/rc installation, clashsecret, and _quit) to confirm they do not create persistence beyond expected behavior or perform network-based data leakage.

This script primarily orchestrates Clash configuration, resolves port conflicts, downloads/optionally converts subscription configs, and validates them using the kernel in test mode. It does not show explicit malware such as remote exfiltration or reverse shells in this fragment. The main supply-chain/security concern is that it downloads remote configs with TLS certificate verification disabled (--insecure/--no-check-certificate) and then processes/executess them via local binaries, which makes MITM or malicious subscription injection a realistic risk. Additionally, the `exec $SHELL -i` behavior in _error_quit is unusual and could be high impact if attacker-controlled inputs can trigger it. Overall: medium security risk, low direct malware evidence in this snippet.

This unit file is security-sensitive primarily due to privilege configuration: it will launch an unknown executable (ExecStart placeholder) under an unusually broad and sensitive capability set (including CAP_SYS_PTRACE and CAP_DAC_OVERRIDE/READ_SEARCH) with AmbientCapabilities preserving those privileges for child processes, and it provides persistence via Restart=always. The fragment contains no explicit evidence of data exfiltration or backdoor logic, but the execution context is high-risk and should be reviewed by resolving and validating the real ExecStart command and necessity of each capability.

The skill is purpose-consistent for administering Clash/Mihomo on Linux, but its trust model is weak because it instructs the agent to clone and execute an unpinned third-party GitHub installer. No clear credential exfiltration or deceptive data routing is shown, so this is better classified as suspicious/high-risk supply-chain exposure rather than confirmed malware.

No overt indicators of classic malware behaviors (exfiltration, keylogging, reverse shell) are present in this fragment. However, the script creates a high-impact supply-chain execution path: it downloads executable archives with TLS certificate validation disabled (--insecure), performs only decompression/format checks (no signature/hash authenticity), installs the resulting binaries, and then enables execution via system services and shell RC persistence. This should be treated as a significant supply-chain security risk unless authenticity is verified elsewhere and network transport is protected.