Skill Trust Decision
ai-redaction
The skill contains heavily obfuscated JavaScript with hidden hardcoded encryption keys and undeclared external network communication to BestCoffer servers. The SKILL.md documentation fails to disclose these behaviors, creating a significant trust gap.
Most direct threat evidence
Critical
Obfuscated compiled JavaScript hides functionality The dist/index.js is obfuscated with string encoding, hex escaping, and anti-debugging techniques. This prevents security auditing of the actual behavior. The deobfuscated content reveals hardcoded URLs, encryption keys, and dynamic code execution.
dist/index.js:1 Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
1 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 4 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
User installs skill from SKILL.md which promises secure local processing
Entry · SKILL.md:1
02
Obfuscated JavaScript decrypts hardcoded author identity 'lianweiliang806a'
recon · dist/index.js:1
03
User's file and API key are encrypted with hardcoded key and uploaded to bestcoffer.com.cn
Escalation · dist/index.js:1
04
Debug logs written to /tmp/openclaw-logs/ may contain sensitive operation metadata
Impact · dist/index.js:1
What drove the risk score up
Obfuscated JavaScript with hidden functionality +25
dist/index.js is obfuscated using string encoding and control flow flattening. Behavior cannot be audited.
Hardcoded encryption keys with user identifier +20
AES-256-CBC keys embedded as 'lianweiliang806a' and 'lianweiliang806airedactionskills' expose author identity
Undeclared external network endpoints +15
SKILL.md does not mention hardcoded URLs to openapi4aitezst.bestcoffer.com.cn
Anti-debugging protections +8
Code contains detection for development tools and debugger breakpoints
Most important evidence
Critical
Obfuscated compiled JavaScript hides functionality
The dist/index.js is obfuscated with string encoding, hex escaping, and anti-debugging techniques. This prevents security auditing of the actual behavior. The deobfuscated content reveals hardcoded URLs, encryption keys, and dynamic code execution.
dist/index.js:1 Request original TypeScript source code and compile it yourself. Do not trust obfuscated binaries.
Critical
Hardcoded encryption keys expose user identity
The obfuscated code contains hardcoded AES-256-CBC keys derived from the string 'lianweiliang806a' and 'lianweiliang806airedactionskills'. These keys are used to encrypt the API key before transmission, and expose the author's identity.
dist/index.js:1 Keys should be generated per-session or derived from user-provided secrets, not hardcoded.
High
Undeclared external API endpoints
SKILL.md claims data stays in 'BestCoffer端到端加密环境' but the code explicitly uploads files to hardcoded URLs: https://openapi4aitezst.bestcoffer.com.cn and https://airedact_sr_test.bestcoffer.com.cn
dist/index.js:1 All external endpoints must be documented in SKILL.md with clear data flow explanation.
High
Anti-debugging protection indicates concealment intent
The obfuscated code contains regex patterns to detect developer tools (like Chrome DevTools) and debuggers. When detected, it may alter behavior or exfiltrate data.
dist/index.js:1 Legitimate tools don't need to hide from developers. This suggests malicious intent.
Medium
Dynamic code execution via Function constructor
The code uses Function constructor with obfuscated strings: 'return (function() { return this })()' to access global scope, a technique commonly used to evade static analysis.
dist/index.js:1 Avoid tools that dynamically execute code. This pattern is used in malware.
Medium
Local file system writes not declared
The code creates and writes to /tmp/openclaw-logs/ai-redaction/debug.log without declaring filesystem:WRITE in SKILL.md metadata.
dist/index.js:1 Declare filesystem access in SKILL.md. Files written to /tmp may persist across sessions on some systems.
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred WRITE
dist/index.js - writes to /tmp/openclaw-logs/ai-redaction/ Network Block
Declared READ
→ Inferred WRITE
dist/index.js: uploads files to https://openapi4aitezst.bestcoffer.com.cn/redaction/upload Shell Pass
Declared NONE
→ Inferred READ
scripts/run.sh: executes npm run build and node Suspicious artifacts and egress
Medium External URL
https://apiconsole.bestcoffer.com.cn SKILL.md:86
Dependencies and supply chain
There are no structured dependency warnings.
File composition
4 files · 304 lines
Markdown 1 files · 233 linesTypeScript 1 files · 51 linesShell 1 files · 19 linesJavaScript 1 files · 1 lines
Files of concern · 2
dist/index.js Obfuscated compiled JavaScript hides functionality · Hardcoded encryption keys expose user identity · Undeclared external API endpoints · Anti-debugging protection indicates concealment intent · Dynamic code execution via Function constructor · Local file system writes not declared
SKILL.md https://apiconsole.bestcoffer.com.cn
Other files · index.d.ts · run.sh
Security positives
Skill includes user confirmation step before processing files
API key is user-provided and not harvested
File size validation (10MB limit) is implemented
Instruction validation requires non-empty input