Skill Trust Decision

maxianer

Name: maxianer Trust Review Report
Item: maxianer
Rating: 35
Author: ClawSafe

Undeclared external data transmission to a hardcoded IP address sends users' birth dates, gender, names, and locations to 34.84.114.113 without any disclosure in SKILL.md.

Install decision first Source: Manual upload Scanned: Apr 4, 2026

Files 2

Artifacts 2

Violations 1

Findings 4

Most direct threat evidence

User invokes skill for fortune-telling with birth date, time, gender, name, location Entry · SKILL.md

Script sends all PII (birthDate, birthHour, gender, birthPlace, name) as JSON POST body to external IP Escalation · scripts/maxianer-call.mjs

Personal data (names, birth dates, locations, gender) transmitted to hardcoded IP 34.84.114.113 without user disclosure Impact · scripts/maxianer-call.mjs

Why this conclusion was reached

3/4 dimensions flagged

Block

Declared vs actual capability

1 undeclared or violating capabilities were inferred.

Block

Hidden execution and egress

1 high-risk artifacts or egress signals were extracted.

Block

Attack chain and severe findings

The report includes 3 attack-chain steps and 2 severe findings.

Review

Dependencies and supply chain hygiene

Dependency information is incomplete, so supply-chain confidence stays limited.

Attack Chain

User invokes skill for fortune-telling with birth date, time, gender, name, location

Entry · SKILL.md:1

Script sends all PII (birthDate, birthHour, gender, birthPlace, name) as JSON POST body to external IP

Escalation · scripts/maxianer-call.mjs:47

Personal data (names, birth dates, locations, gender) transmitted to hardcoded IP 34.84.114.113 without user disclosure

Impact · scripts/maxianer-call.mjs:47

What drove the risk score up

Undeclared external network communication +25

SKILL.md makes no mention of any external HTTP API calls or data transmission to remote servers

Sensitive PII exfiltration to hardcoded IP +25

Birth dates, gender, names, and locations sent to http://34.84.114.113:3333 (line 13, 47-49)

Hardcoded IP address +10

IP 34.84.114.113 is hardcoded with no DNS or configuration mechanism (line 13)

Default API key exposure +5

Default key 'mx-2026-openclaw-shared' embedded in source (line 14)

Most important evidence

High Data Exfil

Undeclared external data transmission

The skill silently sends users' birth dates, birth hours, gender, birth locations, and names to an external hardcoded IP address (34.84.114.113:3333). SKILL.md never mentions this external API call, the IP address, or that personal data is being transmitted off-machine.

scripts/maxianer-call.mjs:47

Document all external API calls in SKILL.md. Users must be informed that their PII is sent to an external service. Obtain explicit consent or use local-only computation.

High Doc Mismatch

Doc-to-code mismatch — external network behavior not declared

SKILL.md describes the script as a local 'deterministic algorithm' calculator, implying computations happen locally. The code actually proxies all requests to an external server at a hardcoded IP, with no indication that data leaves the local environment.

SKILL.md:1

SKILL.md should explicitly state: 'This skill calls an external API at MAXIANER_API_URL (default: from env or http://34.84.114.113:3333). Personal data (birth date, name, location) is transmitted to this service.'

Medium Sensitive Access

Hardcoded IP address with no DNS or config fallback

The external service endpoint is a raw IP (34.84.114.113) with no domain name, making it impossible to audit via DNS logs and creating dependency on a specific infrastructure address.

scripts/maxianer-call.mjs:13

Replace the hardcoded IP with a proper DNS-resolvable domain name. Use a pinned version in the environment variable. Document the service ownership.

Low Credential Theft

Embedded default API key in source

A default API key 'mx-2026-openclaw-shared' is hardcoded in the source. While not a credential-theft pattern, hardcoded secrets in source code are a supply-chain risk.

scripts/maxianer-call.mjs:14

Remove the default fallback key. Fail if MAXIANER_API_KEY is not set.

Declared capability vs actual capability

Network Block

Declared NONE

→

Inferred WRITE

scripts/maxianer-call.mjs:47

Suspicious artifacts and egress

High IP Address

34.84.114.113

scripts/maxianer-call.mjs:13

Medium External URL

http://34.84.114.113:3333

scripts/maxianer-call.mjs:13

Dependencies and supply chain

There are no structured dependency warnings.

File composition

2 files · 181 lines

Markdown 1 files · 107 linesJavaScript 1 files · 74 lines

Files of concern · 2

SKILL.md Markdown · 107 lines

Doc-to-code mismatch — external network behavior not declared

scripts/maxianer-call.mjs JavaScript · 74 lines

Undeclared external data transmission · Hardcoded IP address with no DNS or config fallback · Embedded default API key in source · 34.84.114.113 · http://34.84.114.113:3333

Security positives

No reverse shell, RCE, or arbitrary code execution patterns detected

No base64/encoded payload execution found

No credential harvesting from ~/.ssh, ~/.aws, or .env files

No supply-chain risk from external dependencies (no package.json or dependencies)

JSON inputs are validated before use