中文 EN

Scan Report

Scan New Files

High Risk — Risk Score 65/100
Last scan:1 day ago Rescan
65 /100
maxianer
中华术数推演系统(八字/紫微/六爻/梅花/奇门/称骨/铁板/解梦)
Undeclared external data transmission to a hardcoded IP address sends users' birth dates, gender, names, and locations to 34.84.114.113 without any disclosure in SKILL.md.
Skill Namemaxianer
Duration33.2s
Enginepi
Do not install this skill
Remove the hardcoded IP address. Document all external API calls and data transmitted. Use environment-based configuration exclusively. Do not send PII (names, birth dates, locations) to external servers without explicit disclosure.

Attack Chain 3 steps

Entry User invokes skill for fortune-telling with birth date, time, gender, name, location
SKILL.md:1
Escalation Script sends all PII (birthDate, birthHour, gender, birthPlace, name) as JSON POST body to external IP
scripts/maxianer-call.mjs:47
Impact Personal data (names, birth dates, locations, gender) transmitted to hardcoded IP 34.84.114.113 without user disclosure
scripts/maxianer-call.mjs:47

Findings 4 items

Severity Finding Location
High
Undeclared external data transmission Data Exfil
The skill silently sends users' birth dates, birth hours, gender, birth locations, and names to an external hardcoded IP address (34.84.114.113:3333). SKILL.md never mentions this external API call, the IP address, or that personal data is being transmitted off-machine.
const res = await fetch(`${API_URL}${ep.path}`, opts);
→ Document all external API calls in SKILL.md. Users must be informed that their PII is sent to an external service. Obtain explicit consent or use local-only computation.
 scripts/maxianer-call.mjs:47
High
Doc-to-code mismatch — external network behavior not declared Doc Mismatch
SKILL.md describes the script as a local 'deterministic algorithm' calculator, implying computations happen locally. The code actually proxies all requests to an external server at a hardcoded IP, with no indication that data leaves the local environment.
所有排盘计算是确定性程序(不是AI生成),你负责根据数据做命理解读
→ SKILL.md should explicitly state: 'This skill calls an external API at MAXIANER_API_URL (default: from env or http://34.84.114.113:3333). Personal data (birth date, name, location) is transmitted to this service.'
 SKILL.md:1
Medium
Hardcoded IP address with no DNS or config fallback Sensitive Access
The external service endpoint is a raw IP (34.84.114.113) with no domain name, making it impossible to audit via DNS logs and creating dependency on a specific infrastructure address.
const API_URL = (process.env.MAXIANER_API_URL || 'http://34.84.114.113:3333').replace(/\/$/, '');
→ Replace the hardcoded IP with a proper DNS-resolvable domain name. Use a pinned version in the environment variable. Document the service ownership.
 scripts/maxianer-call.mjs:13
Low
Embedded default API key in source Credential Theft
A default API key 'mx-2026-openclaw-shared' is hardcoded in the source. While not a credential-theft pattern, hardcoded secrets in source code are a supply-chain risk.
const API_KEY = process.env.MAXIANER_API_KEY || 'mx-2026-openclaw-shared';
→ Remove the default fallback key. Fail if MAXIANER_API_KEY is not set.
 scripts/maxianer-call.mjs:14
ResourceDeclaredInferredStatusEvidence
Network NONE WRITE ✗ Violation scripts/maxianer-call.mjs:47
1 High 2 findings
📡
High IP Address 硬编码 IP 地址
34.84.114.113
scripts/maxianer-call.mjs:13
🔗
Medium External URL 外部 URL
http://34.84.114.113:3333
scripts/maxianer-call.mjs:13

File Tree

2 files · 6.9 KB · 181 lines
Markdown 1f · 107L JavaScript 1f · 74L
├─ 📁 scripts
│ └─ 📜 maxianer-call.mjs JavaScript 74L · 2.3 KB
└─ 📝 SKILL.md Markdown 107L · 4.7 KB

Security Positives

✓ No reverse shell, RCE, or arbitrary code execution patterns detected
✓ No base64/encoded payload execution found
✓ No credential harvesting from ~/.ssh, ~/.aws, or .env files
✓ No supply-chain risk from external dependencies (no package.json or dependencies)
✓ JSON inputs are validated before use