ai-redaction Security Report — High Risk | ClawSafe

68 /100

ai-redaction

智能文件脱敏工具 - 声称纯个人独立模式

The skill contains heavily obfuscated JavaScript with hidden hardcoded encryption keys and undeclared external network communication to BestCoffer servers. The SKILL.md documentation fails to disclose these behaviors, creating a significant trust gap.

Skill Nameai-redaction

Duration49.2s

Enginepi

⛔

Do not install this skill

Do not use this skill. The obfuscated code hides critical functionality including hardcoded credentials (lianweiliang806a), undeclared API endpoints, and anti-debugging protections. Request transparent source code before any further evaluation.

Attack Chain 4 steps

◎

Entry User installs skill from SKILL.md which promises secure local processing

SKILL.md:1

⬡

Escalation Obfuscated JavaScript decrypts hardcoded author identity 'lianweiliang806a'

dist/index.js:1

⬡

Escalation User's file and API key are encrypted with hardcoded key and uploaded to bestcoffer.com.cn

dist/index.js:1

◉

Impact Debug logs written to /tmp/openclaw-logs/ may contain sensitive operation metadata

dist/index.js:1

Findings 6 items

Severity	Finding	Location
Critical	Obfuscated compiled JavaScript hides functionality The dist/index.js is obfuscated with string encoding, hex escaping, and anti-debugging techniques. This prevents security auditing of the actual behavior. The deobfuscated content reveals hardcoded URLs, encryption keys, and dynamic code execution. `(function(_0x187b50,_0x5a8764){const _0x_0x359bb3={...}}('_0x_0x443a',-0xb*-0x2c1e+...))` → Request original TypeScript source code and compile it yourself. Do not trust obfuscated binaries.	`dist/index.js:1`
Critical	Hardcoded encryption keys expose user identity The obfuscated code contains hardcoded AES-256-CBC keys derived from the string 'lianweiliang806a' and 'lianweiliang806airedactionskills'. These keys are used to encrypt the API key before transmission, and expose the author's identity. `_0x_0x5339b2=Buffer['from']('lianweiliang806a','utf8'),_0x_0x5163e7=Buffer['from']('lianweiliang806airedactionskills','utf8')` → Keys should be generated per-session or derived from user-provided secrets, not hardcoded.	`dist/index.js:1`
High	Undeclared external API endpoints SKILL.md claims data stays in 'BestCoffer端到端加密环境' but the code explicitly uploads files to hardcoded URLs: https://openapi4aitezst.bestcoffer.com.cn and https://airedact_sr_test.bestcoffer.com.cn `this['API_BASE_URL']=process['env']['AI_REDACTION_API_URL']\|\|_0x131969['WOCYJ'] // https://openapi4aitezst.bestcoffer.com.cn/` → All external endpoints must be documented in SKILL.md with clear data flow explanation.	`dist/index.js:1`
High	Anti-debugging protection indicates concealment intent The obfuscated code contains regex patterns to detect developer tools (like Chrome DevTools) and debuggers. When detected, it may alter behavior or exfiltrate data. `new RegExp('\+ \+ (?:[a-zA-Z_$][\w$]\.)[a-zA-Z_$][\w$]*')` → Legitimate tools don't need to hide from developers. This suggests malicious intent.	`dist/index.js:1`
Medium	Dynamic code execution via Function constructor The code uses Function constructor with obfuscated strings: 'return (function() { return this })()' to access global scope, a technique commonly used to evade static analysis. `_0x303b64=_0x39da00['k jwEM'](Function,_0x39da00['aSDCQ']('vmCsT','{}.constructor("return this")()')+'));` → Avoid tools that dynamically execute code. This pattern is used in malware.	`dist/index.js:1`
Medium	Local file system writes not declared The code creates and writes to /tmp/openclaw-logs/ai-redaction/debug.log without declaring filesystem:WRITE in SKILL.md metadata. `_0x_0x181d57=_0x_0x33a91b['join'](process['env']['TEMP'],'openclaw-logs','ai-redaction')` → Declare filesystem access in SKILL.md. Files written to /tmp may persist across sessions on some systems.	`dist/index.js:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✗ Violation	dist/index.js - writes to /tmp/openclaw-logs/ai-redaction/
Network	`READ`	`WRITE`	✗ Violation	dist/index.js: uploads files to https://openapi4aitezst.bestcoffer.com.cn/redact…
Shell	`NONE`	`READ`	✓ Aligned	scripts/run.sh: executes npm run build and node

1 findings

🔗

Medium External URL 外部 URL

https://apiconsole.bestcoffer.com.cn

SKILL.md:86

File Tree

4 files · 58.0 KB · 304 lines

Markdown 1f · 233L TypeScript 1f · 51L Shell 1f · 19L JavaScript 1f · 1L

├─ ▾ 📁 dist

│ ├─ 📜 index.d.ts TypeScript 51L · 926 B

│ └─ 📜 index.js JavaScript 1L · 45.2 KB

├─ ▾ 📁 scripts

│ └─ 🔧 run.sh Shell 19L · 413 B

└─ 📝 SKILL.md Markdown 233L · 11.5 KB

Security Positives

✓ Skill includes user confirmation step before processing files

✓ API key is user-provided and not harvested

✓ File size validation (10MB limit) is implemented

✓ Instruction validation requires non-empty input

Scan Report

Attack Chain 4 steps

Findings 6 items

File Tree

Security Positives