velora-chat Security Report — Trusted | ClawSafe

5 /100

velora-chat

Chat with AI companions on Velora (velora.cloudm8.net)

Legitimate browser automation script for testing Velora AI companion platform. All functionality is declared in SKILL.md with no hidden behavior, credential exfiltration, or suspicious network activity.

Skill Namevelora-chat

Duration25.0s

Enginepi

✓

Safe to install

This skill is safe to use. Ensure users don't share credentials in shared environments and consider using test accounts instead of production credentials.

Findings 2 items

Severity	Finding	Location
Low	Browser capability not explicitly declared in SKILL.md The skill uses Playwright's chromium.launch() which requires browser WRITE control, but SKILL.md only mentions 'browser automation' without specifying the required permission level. `Requires Playwright and Chromium for browser automation.` → Add explicit declaration: 'browser:WRITE (required for Playwright chromium.launch)'	`SKILL.md:5`
Info	Credentials passed via CLI arguments The script accepts email/password as command-line arguments which may be visible in process listings. `node scripts/velora-chat.js <email> <password>` → Consider documenting that environment variables are the preferred method for credential passing	`scripts/velora-chat.js:68`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md:47, scripts/velora-chat.js:24 - Only connects to velora.cloudm8.net
Browser	`READ`	`WRITE`	✓ Aligned	scripts/velora-chat.js:16 - Uses chromium.launch() which requires browser contro…
Filesystem	`NONE`	`NONE`	—	No file operations detected
Shell	`NONE`	`NONE`	—	No shell commands executed
Environment	`READ`	`READ`	✓ Aligned	SKILL.md documents VELORA_EMAIL/VELORA_PASSWORD usage

4 findings

🔗

Medium External URL 外部 URL

https://velora.cloudm8.net/login

SKILL.md:100

📧

Info Email 邮箱地址

[email protected]

SKILL.md:33

📧

Info Email 邮箱地址

[email protected]

SKILL.md:54

📧

Info Email 邮箱地址

[email protected]

scripts/velora-chat.js:71

File Tree

3 files · 7.9 KB · 268 lines

Markdown 2f · 197L JavaScript 1f · 71L

├─ ▾ 📁 references

│ └─ 📝 companions.md Markdown 40L · 1.6 KB

├─ ▾ 📁 scripts

│ └─ 📜 velora-chat.js JavaScript 71L · 2.4 KB

└─ 📝 SKILL.md Markdown 157L · 3.9 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`playwright`	`*`	npm	No	Version not pinned in documentation

Security Positives

✓ No credential exfiltration or transmission to third parties

✓ All network activity limited to declared velora.cloudm8.net domain

✓ No shell execution, subprocess calls, or eval() usage

✓ No file system access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No base64-encoded payloads or obfuscated code

✓ No hidden functionality or steganography in comments

✓ Credentials documented as user-provided only

✓ Clear SKILL.md documentation of intended behavior

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives