renatus-icm Security Report — Trusted | ClawSafe

5 /100

renatus-icm

Manage Renatus event marketing campaigns as an ICM: email campaigns, lead export, browser-based guest registration via CDP, event landing page generation, and unsubscribe sync

Legitimate Renatus event marketing campaign toolkit with clear documentation, declared CDP/session-token access, and standard subprocess-based email sending. No malicious behavior, exfiltration, obfuscation, or credential theft observed.

Skill Namerenatus-icm

Duration48.0s

Enginepi

✓

Safe to install

Safe to use. Ensure Chrome/Brave CDP access uses a dedicated browser profile and credentials are managed per the documented security recommendations.

Findings 2 items

Severity	Finding	Location
Low	Broader CDP access declared than strictly needed for skill scope Doc Mismatch SKILL.md says scripts 'connect to http://127.0.0.1:9222 to inspect your browser's localStorage/cookies for Renatus auth tokens' — this is accurate but the phrasing 'inspect cookies' could imply credential capture. Code only reads localStorage for session tokens, not raw cookie values or passwords. `Scripts connect to http://127.0.0.1:9222 to inspect your browser's localStorage/cookies for Renatus auth tokens` → Clarify that only localStorage session tokens (access_token, refresh_token, XSRF) are read, not raw cookies or passwords	`SKILL.md:28`
Low	Missing dependency in unsubscribe sync script Sensitive Access weekly_unsubscribe_sync.sh calls scripts/process_unsubscribes.py which does not exist in the skill's file tree. This is a broken reference that would cause Step 3 to fail at runtime, not an exploitation path. `python3 "$SCRIPT_DIR/process_unsubscribes.py"` → Create or reference the correct unsubscribe processing script	`scripts/weekly_unsubscribe_sync.sh:100`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares file generation; scripts write CSV/JSON/config output
Network	`READ`	`READ`	✓ Aligned	urllib requests to Supabase API and Renatus back office; all outbound URLs docum…
Shell	`WRITE`	`WRITE`	✓ Aligned	subprocess.run for gws/gog CLI email sending (lines 134-150, send_commercial_ema…
Environment	`READ`	`READ`	✓ Aligned	config_loader.py reads RENATUS_* env vars; renatus_leads.py reads SUPABASE_URL, …
Browser	`READ`	`READ`	✓ Aligned	CDP localStorage access reads 'auth' and '__RequestVerificationToken' only; SKIL…
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Skill Invoke	`NONE`	`NONE`	—	No skill-invoke patterns found
Database	`READ`	`READ`	✓ Aligned	Supabase funnel_leads table reads via lead-admin-export edge function; SUPABASE_…

22 findings

🔗

Medium External URL 外部 URL

http://127.0.0.1:9222

SKILL.md:28

🔗

Medium External URL 外部 URL

https://backoffice.myrenatus.com/Events/EventDetails?eventId=...

SKILL.md:52

🔗

Medium External URL 外部 URL

https://YOUR_REGISTRATION_PAGE/

SKILL.md:72

🔗

Medium External URL 外部 URL

https://backoffice.myrenatus.com

SKILL.md:75

🔗

Medium External URL 外部 URL

https://YOUR_DOMAIN

assets/site/unsubscribe.html:57

🔗

Medium External URL 外部 URL

https://YOUR_DOMAIN/unsubscribe.html

references/email-campaign.md:68

🔗

Medium External URL 外部 URL

https://YOUR_DOMAIN/unsubscribe.html?e=

references/email-campaign.md:75

🔗

Medium External URL 外部 URL

https://$REF.supabase.co/functions/v1/lead-admin-export?limit=500

references/email-campaign.md:158

🔗

Medium External URL 外部 URL

https://YOUR_DOMAIN/commercial/

references/event-page-setup.md:30

🔗

Medium External URL 外部 URL

https://yourdomain.com/commercial/

references/event-page-setup.md:118

🔗

Medium External URL 外部 URL

https://backoffice.myrenatus.com/Events/EventDetails?eventId=

scripts/add_event.py:210

🔗

Medium External URL 外部 URL

https://YOUR_PROJECT_REF.supabase.co

scripts/config_loader.py:78

🔗

Medium External URL 外部 URL

https://YOUR_INSTRUCTOR_PHOTO_URL.jpg

scripts/config_loader.py:91

🔗

Medium External URL 外部 URL

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd

scripts/generate_email_template.py:65

🔗

Medium External URL 外部 URL

http://www.w3.org/1999/xhtml

scripts/generate_email_template.py:66

🔗

Medium External URL 外部 URL

https://YOUR_REGISTRATION_PAGE_URL/

scripts/generate_email_template.py:323

🔗

Medium External URL 外部 URL

https://backoffice.myrenatus.com/Events/EventDetails?eventId=abc123...

scripts/generate_event_page.py:9

🔗

Medium External URL 外部 URL

https://YOUR_PROJECT_REF.functions.supabase.co/submit-renatus-registration

scripts/generate_event_page.py:451

🔗

Medium External URL 外部 URL

https://backoffice.myrenatus.com/Home/index

scripts/weekly_unsubscribe_sync.sh:146

📧

Info Email 邮箱地址

[email protected]

assets/site/unsubscribe.html:53

📧

Info Email 邮箱地址

[email protected]

references/email-campaign.md:5

📧

Info Email 邮箱地址

[email protected]

scripts/send_commercial_email_batches.py:13

File Tree

18 files · 172.2 KB · 4882 lines

Python 9f · 3404L Markdown 5f · 894L HTML 2f · 314L Shell 1f · 266L CSV 1f · 4L

├─ ▾ 📁 assets

│ ├─ ▾ 📁 site

│ │ ├─ 📄 confirmation.html HTML 162L · 7.3 KB

│ │ └─ 📄 unsubscribe.html HTML 152L · 6.7 KB

│ └─ 📄 sample_leads.csv CSV 4L · 263 B

├─ ▾ 📁 references

│ ├─ 📝 email-campaign.md Markdown 175L · 4.8 KB

│ ├─ 📝 event-page-setup.md Markdown 138L · 3.9 KB

│ ├─ 📝 supabase-setup.md Markdown 99L · 3.2 KB

│ └─ 📝 workflows.md Markdown 259L · 7.4 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 add_event.py Python 298L · 11.0 KB

│ ├─ 🐍 config_loader.py Python 186L · 6.9 KB

│ ├─ 🐍 generate_calendar.py Python 260L · 8.7 KB

│ ├─ 🐍 generate_email_template.py Python 518L · 21.3 KB

│ ├─ 🐍 generate_event_page.py Python 700L · 26.1 KB

│ ├─ 🐍 renatus_delete_lead.py Python 333L · 9.8 KB

│ ├─ 🐍 renatus_leads.py Python 231L · 8.7 KB

│ ├─ 🐍 renatus_register_guest.py Python 582L · 17.8 KB

│ ├─ 🐍 send_commercial_email_batches.py Python 296L · 10.5 KB

│ └─ 🔧 weekly_unsubscribe_sync.sh Shell 266L · 7.9 KB

└─ 📝 SKILL.md Markdown 223L · 9.8 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`playwright`	`not pinned`	pip	No	No requirements.txt found; playwright is the only runtime dependency, used exclusively for Chrome CDP browser automation

Security Positives

✓ SKILL.md comprehensively documents all credential requirements and security recommendations

✓ CDP access explicitly reads session tokens only, NOT passwords — documented inline at add_event.py line 43

✓ Email sending uses documented gws/gog CLI with subprocess.run — no hidden transmission

✓ All network requests target documented Supabase/Renatus endpoints — no arbitrary IP or C2 communication

✓ No base64, eval, or obfuscation patterns found in any Python or shell scripts

✓ No credential harvesting (no os.environ iteration, no ~/.ssh, ~/.aws, .env file reading)

✓ Dry-run defaults on registration and deletion scripts prevent accidental writes

✓ Lead export reads Supabase only with explicit admin token — no arbitrary data exfiltration

✓ Config file is gitignored and credentials can be fully env-var driven

✓ Bounce detection and unsubscribe sync are legitimate email compliance features

✓ All dependencies (playwright) are standard, pinned packages with no known supply chain risks

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives