rrbdagent Security Report — Low Risk | ClawSafe

15 /100

rrbdagent

RRBD Admin智能助手 - 数字人视频创建工具

Legitimate video creation API integration tool for RRBD platform. No malicious behavior detected; credentials are stored as declared for user convenience.

Skill Namerrbdagent

Duration38.5s

Enginepi

✓

Safe to install

Consider encrypting stored credentials in config.json instead of plaintext storage. Otherwise, this skill is safe to use for its declared purpose.

Findings 2 items

Severity	Finding	Location
Low	Plaintext Credential Storage User credentials are saved to config.json in plaintext when provided during login. While this behavior is declared in SKILL.md, storing sensitive data without encryption poses risk if the config file is compromised. `this.config.login.default_username = username; this.config.login.default_password = password; this.saveConfig();` → Use encrypted storage or a secure credential manager instead of plaintext JSON file storage	`api_client.js:55`
Info	Memory Persistence The skill maintains a memory.json file that stores recent video URLs and user preferences. `Stores recentVideos array with video URLs and titles` → Ensure memory.json is not exposed or shared publicly	`memory.json:1`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	api_client.js - axios calls to external API
Filesystem	`READ`	`READ/WRITE`	✓ Aligned	index.js:23-24 - reads/writes memory.json and config.json
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Environment	`NONE`	`NONE`	—	No environment variable access
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No direct database access

28 findings

🔗

Medium External URL 外部 URL

https://rrbd20.yzidea.net/api

SKILL.md:112

🔗

Medium External URL 外部 URL

https://rrbd20ims.oss-cn-shenzhen.aliyuncs.com/1962755608750927873/20260318/db53e8268c9a4459a9f1280890962099.mp4

memory.json:8

🔗

Medium External URL 外部 URL

https://rrbd20ims.oss-cn-shenzhen.aliyuncs.com/1962755608750927873/20260318/2fd0e5fe338745899348050aad92fa03.mp4

memory.json:14

🔗

Medium External URL 外部 URL

https://rrbd20ims.oss-cn-shenzhen.aliyuncs.com/1962755608750927873/20260318/174f34fc8bce4dc4b7d38e7b5c2818bd.mp4

memory.json:20

💰

Medium Wallet Address 加密货币钱包地址

174f34fc8bce4dc4b7d38e7b5c2818bd

memory.json:20

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/asynckit/-/asynckit-0.4.0.tgz

package-lock.json:17

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/axios/-/axios-1.13.6.tgz

package-lock.json:22

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz

package-lock.json:32

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/combined-stream/-/combined-stream-1.0.8.tgz

package-lock.json:44

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/delayed-stream/-/delayed-stream-1.0.0.tgz

package-lock.json:55

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/dunder-proto/-/dunder-proto-1.0.1.tgz

package-lock.json:63

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-define-property/-/es-define-property-1.0.1.tgz

package-lock.json:76

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-errors/-/es-errors-1.3.0.tgz

package-lock.json:84

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-object-atoms/-/es-object-atoms-1.1.1.tgz

package-lock.json:92

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz

package-lock.json:103

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/follow-redirects/-/follow-redirects-1.15.11.tgz

package-lock.json:117

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/form-data/-/form-data-4.0.5.tgz

package-lock.json:136

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/function-bind/-/function-bind-1.1.2.tgz

package-lock.json:151

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/get-intrinsic/-/get-intrinsic-1.3.0.tgz

package-lock.json:159

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/get-proto/-/get-proto-1.0.1.tgz

package-lock.json:182

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/gopd/-/gopd-1.2.0.tgz

package-lock.json:194

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/has-symbols/-/has-symbols-1.1.0.tgz

package-lock.json:205

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/has-tostringtag/-/has-tostringtag-1.0.2.tgz

package-lock.json:216

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/hasown/-/hasown-2.0.2.tgz

package-lock.json:230

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/math-intrinsics/-/math-intrinsics-1.1.0.tgz

package-lock.json:241

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/mime-db/-/mime-db-1.52.0.tgz

package-lock.json:249

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/mime-types/-/mime-types-2.1.35.tgz

package-lock.json:257

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/proxy-from-env/-/proxy-from-env-1.1.0.tgz

package-lock.json:268

File Tree

37 files · 138.6 KB · 4019 lines

JavaScript 30f · 3121L JSON 4f · 511L Markdown 1f · 275L Python 2f · 112L

├─ ▾ 📁 scripts

│ ├─ 📜 check_video_status.js JavaScript 63L · 1.7 KB

│ ├─ 🐍 check_video_status.py Python 49L · 1.5 KB

│ ├─ 📜 create_another_video.js JavaScript 43L · 1.5 KB

│ ├─ 📜 create_laozeng_video.js JavaScript 86L · 3.4 KB

│ ├─ 📜 create_video_custom_title.js JavaScript 43L · 1.5 KB

│ ├─ 📜 create_video_fixed.js JavaScript 43L · 1.5 KB

│ ├─ 📜 generate_new_video.js JavaScript 48L · 1.8 KB

│ ├─ 📜 get_videos_now.js JavaScript 57L · 1.7 KB

│ ├─ 📜 just_get_videos.js JavaScript 51L · 1.6 KB

│ ├─ 📜 laozeng_video.js JavaScript 72L · 2.6 KB

│ ├─ 📜 login_and_check.js JavaScript 121L · 3.7 KB

│ ├─ 📜 make_video_now.js JavaScript 76L · 2.7 KB

│ ├─ 📜 quick_check.js JavaScript 83L · 3.1 KB

│ ├─ 📜 show_me_videos.js JavaScript 114L · 3.4 KB

│ ├─ 📜 test_fixed_code.js JavaScript 82L · 2.8 KB

│ ├─ 📜 test_szr_api.js JavaScript 134L · 4.2 KB

│ └─ 📜 videos_please.js JavaScript 27L · 786 B

├─ 📜 api_client.js JavaScript 443L · 15.6 KB

├─ 📜 check_now.js JavaScript 46L · 1.1 KB

├─ 📜 check_simple.js JavaScript 37L · 1.2 KB

├─ 📜 check_videos_now.js JavaScript 40L · 1.0 KB

├─ 🔑 config.json ⚠ JSON 21L · 694 B

├─ 📜 create_video_different_template.js JavaScript 157L · 5.9 KB

├─ 📜 create_video_laozeng_shuai.js JavaScript 158L · 5.9 KB

├─ 📜 create_video_laozeng_shuai2_final.js JavaScript 152L · 5.8 KB

├─ 📜 create_video_laozeng_shuai2.js JavaScript 159L · 5.9 KB

├─ 📜 create_video_using_skill.js JavaScript 146L · 5.1 KB

├─ 📜 index.js JavaScript 450L · 16.9 KB

├─ 📜 list_videos_final.js JavaScript 52L · 1.4 KB

├─ 📜 list_videos_simple.js JavaScript 47L · 1.3 KB

├─ 📜 list_videos.js JavaScript 61L · 1.9 KB

├─ 🐍 list_videos.py Python 63L · 1.8 KB

├─ 📋 memory.json JSON 23L · 948 B

├─ 📋 package-lock.json JSON 447L · 16.9 KB

├─ 📋 package.json JSON 20L · 387 B

├─ 📜 quick_check.js JavaScript 30L · 1003 B

└─ 📝 SKILL.md Markdown 275L · 8.7 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`axios`	`^1.6.2`	npm	No	Axios version has had historical vulnerabilities; consider pinning to a specific version

Security Positives

✓ No shell execution or subprocess usage

✓ No credential exfiltration beyond declared API endpoints

✓ No base64-encoded commands or obfuscated code

✓ No access to sensitive system paths (~/.ssh, ~/.aws, etc.)

✓ No hidden functionality or steganographic instructions

✓ Uses HTTPS for all external API communication

✓ No curl|bash or wget|sh remote script execution patterns

✓ Single dependency (axios) with reasonable version

✓ Proper error handling throughout codebase

✓ All network calls are to declared, relevant API endpoints

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives