rrbdagent 安全扫描报告 — 低风险 | ClawSafe

15 /100

rrbdagent

RRBD Admin智能助手 - 数字人视频创建工具

Legitimate video creation API integration tool for RRBD platform. No malicious behavior detected; credentials are stored as declared for user convenience.

技能名称rrbdagent

分析耗时38.5s

引擎pi

✓

可以安装

Consider encrypting stored credentials in config.json instead of plaintext storage. Otherwise, this skill is safe to use for its declared purpose.

安全发现 2 项

严重性	安全发现	位置
低危	Plaintext Credential Storage User credentials are saved to config.json in plaintext when provided during login. While this behavior is declared in SKILL.md, storing sensitive data without encryption poses risk if the config file is compromised. `this.config.login.default_username = username; this.config.login.default_password = password; this.saveConfig();` → Use encrypted storage or a secure credential manager instead of plaintext JSON file storage	`api_client.js:55`
提示	Memory Persistence The skill maintains a memory.json file that stores recent video URLs and user preferences. `Stores recentVideos array with video URLs and titles` → Ensure memory.json is not exposed or shared publicly	`memory.json:1`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	api_client.js - axios calls to external API
文件系统	`READ`	`READ/WRITE`	✓ 一致	index.js:23-24 - reads/writes memory.json and config.json
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found
环境变量	`NONE`	`NONE`	—	No environment variable access
技能调用	`NONE`	`NONE`	—	No cross-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No direct database access

28 项发现

🔗

中危外部 URL 外部 URL

https://rrbd20.yzidea.net/api

SKILL.md:112

🔗

中危外部 URL 外部 URL

https://rrbd20ims.oss-cn-shenzhen.aliyuncs.com/1962755608750927873/20260318/db53e8268c9a4459a9f1280890962099.mp4

memory.json:8

🔗

中危外部 URL 外部 URL

https://rrbd20ims.oss-cn-shenzhen.aliyuncs.com/1962755608750927873/20260318/2fd0e5fe338745899348050aad92fa03.mp4

memory.json:14

🔗

中危外部 URL 外部 URL

https://rrbd20ims.oss-cn-shenzhen.aliyuncs.com/1962755608750927873/20260318/174f34fc8bce4dc4b7d38e7b5c2818bd.mp4

memory.json:20

💰

中危钱包地址加密货币钱包地址

174f34fc8bce4dc4b7d38e7b5c2818bd

memory.json:20

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/asynckit/-/asynckit-0.4.0.tgz

package-lock.json:17

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/axios/-/axios-1.13.6.tgz

package-lock.json:22

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz

package-lock.json:32

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/combined-stream/-/combined-stream-1.0.8.tgz

package-lock.json:44

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/delayed-stream/-/delayed-stream-1.0.0.tgz

package-lock.json:55

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/dunder-proto/-/dunder-proto-1.0.1.tgz

package-lock.json:63

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/es-define-property/-/es-define-property-1.0.1.tgz

package-lock.json:76

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/es-errors/-/es-errors-1.3.0.tgz

package-lock.json:84

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/es-object-atoms/-/es-object-atoms-1.1.1.tgz

package-lock.json:92

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz

package-lock.json:103

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/follow-redirects/-/follow-redirects-1.15.11.tgz

package-lock.json:117

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/form-data/-/form-data-4.0.5.tgz

package-lock.json:136

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/function-bind/-/function-bind-1.1.2.tgz

package-lock.json:151

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/get-intrinsic/-/get-intrinsic-1.3.0.tgz

package-lock.json:159

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/get-proto/-/get-proto-1.0.1.tgz

package-lock.json:182

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/gopd/-/gopd-1.2.0.tgz

package-lock.json:194

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/has-symbols/-/has-symbols-1.1.0.tgz

package-lock.json:205

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/has-tostringtag/-/has-tostringtag-1.0.2.tgz

package-lock.json:216

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/hasown/-/hasown-2.0.2.tgz

package-lock.json:230

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/math-intrinsics/-/math-intrinsics-1.1.0.tgz

package-lock.json:241

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/mime-db/-/mime-db-1.52.0.tgz

package-lock.json:249

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/mime-types/-/mime-types-2.1.35.tgz

package-lock.json:257

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/proxy-from-env/-/proxy-from-env-1.1.0.tgz

package-lock.json:268

目录结构

37 文件 · 138.6 KB · 4019 行

JavaScript 30f · 3121L JSON 4f · 511L Markdown 1f · 275L Python 2f · 112L

├─ ▾ 📁 scripts

│ ├─ 📜 check_video_status.js JavaScript 63L · 1.7 KB

│ ├─ 🐍 check_video_status.py Python 49L · 1.5 KB

│ ├─ 📜 create_another_video.js JavaScript 43L · 1.5 KB

│ ├─ 📜 create_laozeng_video.js JavaScript 86L · 3.4 KB

│ ├─ 📜 create_video_custom_title.js JavaScript 43L · 1.5 KB

│ ├─ 📜 create_video_fixed.js JavaScript 43L · 1.5 KB

│ ├─ 📜 generate_new_video.js JavaScript 48L · 1.8 KB

│ ├─ 📜 get_videos_now.js JavaScript 57L · 1.7 KB

│ ├─ 📜 just_get_videos.js JavaScript 51L · 1.6 KB

│ ├─ 📜 laozeng_video.js JavaScript 72L · 2.6 KB

│ ├─ 📜 login_and_check.js JavaScript 121L · 3.7 KB

│ ├─ 📜 make_video_now.js JavaScript 76L · 2.7 KB

│ ├─ 📜 quick_check.js JavaScript 83L · 3.1 KB

│ ├─ 📜 show_me_videos.js JavaScript 114L · 3.4 KB

│ ├─ 📜 test_fixed_code.js JavaScript 82L · 2.8 KB

│ ├─ 📜 test_szr_api.js JavaScript 134L · 4.2 KB

│ └─ 📜 videos_please.js JavaScript 27L · 786 B

├─ 📜 api_client.js JavaScript 443L · 15.6 KB

├─ 📜 check_now.js JavaScript 46L · 1.1 KB

├─ 📜 check_simple.js JavaScript 37L · 1.2 KB

├─ 📜 check_videos_now.js JavaScript 40L · 1.0 KB

├─ 🔑 config.json ⚠ JSON 21L · 694 B

├─ 📜 create_video_different_template.js JavaScript 157L · 5.9 KB

├─ 📜 create_video_laozeng_shuai.js JavaScript 158L · 5.9 KB

├─ 📜 create_video_laozeng_shuai2_final.js JavaScript 152L · 5.8 KB

├─ 📜 create_video_laozeng_shuai2.js JavaScript 159L · 5.9 KB

├─ 📜 create_video_using_skill.js JavaScript 146L · 5.1 KB

├─ 📜 index.js JavaScript 450L · 16.9 KB

├─ 📜 list_videos_final.js JavaScript 52L · 1.4 KB

├─ 📜 list_videos_simple.js JavaScript 47L · 1.3 KB

├─ 📜 list_videos.js JavaScript 61L · 1.9 KB

├─ 🐍 list_videos.py Python 63L · 1.8 KB

├─ 📋 memory.json JSON 23L · 948 B

├─ 📋 package-lock.json JSON 447L · 16.9 KB

├─ 📋 package.json JSON 20L · 387 B

├─ 📜 quick_check.js JavaScript 30L · 1003 B

└─ 📝 SKILL.md Markdown 275L · 8.7 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`axios`	`^1.6.2`	npm	否	Axios version has had historical vulnerabilities; consider pinning to a specific version

安全亮点

✓ No shell execution or subprocess usage

✓ No credential exfiltration beyond declared API endpoints

✓ No base64-encoded commands or obfuscated code

✓ No access to sensitive system paths (~/.ssh, ~/.aws, etc.)

✓ No hidden functionality or steganographic instructions

✓ Uses HTTPS for all external API communication

✓ No curl|bash or wget|sh remote script execution patterns

✓ Single dependency (axios) with reasonable version

✓ Proper error handling throughout codebase

✓ All network calls are to declared, relevant API endpoints