newapi Security Report — Low Risk | ClawSafe

22 /100

newapi

Assistant for newapi (new-api), an open-source unified AI gateway platform. Manages models, tokens, groups, and balances through secure token handling.

This is a legitimate New API token management skill with well-designed security controls; shell execution via exec-token is declared and scoped to token substitution, with no evidence of credential exfiltration or hidden malicious behavior.

Skill Namenewapi

Duration60.2s

Enginepi

✓

Safe to install

The skill is safe to use. The primary risk surface is exec-token's arbitrary command execution, which is intentional and documented. Audit whether users can be socially engineered into passing malicious commands through the placeholder substitution mechanism.

Findings 4 items

Severity	Finding	Location
Medium	exec-token.js executes arbitrary shell commands RCE The exec-token action accepts a user-supplied command string, substitutes the real token key, and executes it via execSync with shell:true. While declared in SKILL.md, this provides unrestricted shell:WRITE access. An attacker who can influence the command argument could execute arbitrary commands on the user's system with the token key available in the environment. `stdout = execSync(realCommand, { shell: true, stdio: ['inherit', 'pipe', 'pipe'], encoding: 'utf-8', timeout: 30000 });` → Consider restricting exec-token to known-safe CLI patterns (e.g., allowlist of executables). Add input validation beyond placeholder presence. Document the risk clearly in the skill so users understand they are passing arbitrary commands.	`scripts/exec-token.js:58`
Low	env.js traverses project root looking for .env files Sensitive Access The env.js script walks up the directory tree from cwd searching for .git or package.json to locate the project root, then loads .env from both project root and skill directory. While a legitimate pattern for config discovery, it could inadvertently expose .env files in parent directories that contain unrelated credentials. `loadEnv(path.join(projectRoot, '.env')); loadEnv(path.join(skillDir, '.env'));` → Document that .env loading is scoped. Ensure the user's project .env does not contain unrelated secrets that could be inadvertently loaded by other tools.	`scripts/env.js:31`
Info	inject-key.js --scan reads arbitrary files Sensitive Access The --scan action reads any file path provided by the user and applies regex-based redaction. While a legitimate feature, the path.resolve call means relative paths are resolved from cwd, and the regex-based sanitization is explicitly marked best-effort and not guaranteed to catch all secrets. `const content = fs.readFileSync(resolved, 'utf-8');` → This is documented as best-effort. Ensure users understand the limitations of regex-based redaction and avoid using --scan as a substitute for proper secret scanning tools.	`scripts/inject-key.js:59`
Info	copy-key.js writes real tokens to system clipboard Credential Theft The copy-token action retrieves the full real API key and writes it directly to the clipboard via pbcopy/xclip/xsel. While this is the intended design and the key never appears in stdout, clipboard contents can persist beyond the session and be accessed by other applications. `execSync(clipCmd, { input: fullKey, stdio: ['pipe', 'ignore', 'ignore'] });` → Warn users that clipboard-copied secrets may linger. Consider advising users to clear the clipboard after use (e.g., with pbcopy < /dev/null on macOS).	`scripts/copy-key.js:62`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	All scripts (api.js, fetch-key.js, inject-key.js, copy-key.js, exec-token.js) ma…
Shell	`WRITE`	`WRITE`	✓ Aligned	exec-token.js:28 — execSync(realCommand, {shell:true}) executes user-constructed…
Clipboard	`WRITE`	`WRITE`	✓ Aligned	copy-key.js:62 — execSync(clipCmd, {input: fullKey}) writes token to system clip…
Filesystem	`READ+WRITE`	`READ+WRITE`	✓ Aligned	inject-key.js reads and writes config files; env.js reads .env files from projec…
Environment	`READ`	`READ`	✓ Aligned	env.js reads NEWAPI_BASE_URL, NEWAPI_ACCESS_TOKEN, NEWAPI_USER_ID from process.e…
Skill Invoke	`READ`	`READ`	✓ Aligned	SKILL.md defines all actions and their invocation patterns; no undeclared cross-…
Database	`NONE`	`NONE`	—	No direct database access; all persistence is via New API REST API

1 High 7 findings

🔑

High API Key 疑似硬编码凭证

api_key = "__NEWAPI_TOKEN_42__"

docs/actions-config.md:53

🔗

Medium External URL 外部 URL

https://api.example.com/v1

docs/actions-config.md:55

🔗

Medium External URL 外部 URL

https://www.newapi.ai

docs/help.md:13

🔗

Medium External URL 外部 URL

https://your-instance.com

docs/help.md:37

🔗

Medium External URL 外部 URL

https://apifox.newapi.ai/llms.txt

docs/help.md:63

🔗

Medium External URL 外部 URL

https://www.newapi.ai/llms.txt

docs/help.md:64

🔗

Medium External URL 外部 URL

https://your-newapi-instance.com

docs/setup.md:14

File Tree

14 files · 36.8 KB · 1063 lines

JavaScript 7f · 604L Markdown 7f · 459L

├─ ▾ 📁 docs

│ ├─ 📝 actions-config.md Markdown 76L · 3.3 KB

│ ├─ 📝 actions-exec.md Markdown 43L · 1.9 KB

│ ├─ 📝 actions-query.md Markdown 40L · 658 B

│ ├─ 🔑 actions-token.md ⚠ Markdown 78L · 2.7 KB

│ ├─ 📝 help.md Markdown 67L · 4.3 KB

│ └─ 📝 setup.md Markdown 95L · 3.6 KB

├─ ▾ 📁 scripts

│ ├─ 📜 api.js JavaScript 104L · 2.7 KB

│ ├─ 📜 copy-key.js JavaScript 76L · 2.0 KB

│ ├─ 📜 env.js JavaScript 77L · 2.2 KB

│ ├─ 🔑 exec-token.js ⚠ JavaScript 90L · 2.4 KB

│ ├─ 📜 fetch-key.js JavaScript 45L · 1.2 KB

│ ├─ 📜 inject-key.js JavaScript 130L · 3.3 KB

│ └─ 📜 sanitize.js JavaScript 82L · 2.3 KB

└─ 📝 SKILL.md Markdown 60L · 4.2 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`none`	`N/A`	none	No	Zero external dependencies — scripts use only native Node.js/Bun/Deno APIs (fs, path, child_process, fetch)

Security Positives

✓ SKILL.md thoroughly documents all actions, capabilities, and security constraints — no documentation mismatch

✓ API keys are never printed to stdout/stderr — all key handling is in-memory via fetchTokenKey

✓ Token key substitution uses a well-defined placeholder pattern (__NEWAPI_TOKEN_{id}__) with validation

✓ Sanitization module (sanitize.js) provides regex-based redaction for sk- tokens, Bearer tokens, sensitive field values, and connection strings

✓ Atomic file writes in inject-key.js prevent partial overwrites of config files

✓ No external dependencies — zero-dependency scripts using native fetch/Node APIs reduce supply chain risk

✓ API responses are masked in api.js (keys shown as sk-xxxx**********xxxx)

✓ Security guidelines explicitly prohibit reading .env files, clipboard contents, or circumventing masking

✓ No base64-encoded payloads, no obfuscation, no anti-analysis patterns detected

✓ No attempts to access ~/.ssh, ~/.aws, or other sensitive system directories

✓ No curl|bash or wget|sh remote script execution patterns

Scan Report

Findings 4 items

File Tree

Dependencies 1 items

Security Positives