vanio Security Report — Low Risk | ClawSafe

10 /100

vanio

Connect your agent to Airbnb, Booking.com & VRBO via Vanio AI — vacation rental property management CLI

Vanio AI CLI is a legitimate vacation rental property management tool with standard OAuth login flow and minimal shell execution limited to opening browser URLs.

Skill Namevanio

Duration34.5s

Enginepi

✓

Safe to install

Approve for use. The shell execution via `exec` is confined to browser URL opening for OAuth and poses no security risk. Ensure `api.vanio.ai` is a trusted endpoint before enabling network access.

Findings 2 items

Severity	Finding	Location
Low	Undeclared shell execution for OAuth The CLI uses child_process.exec to open the user's default browser for OAuth authentication, but this behavior is not documented in SKILL.md. However, this is a standard and necessary CLI practice. `const { exec } = await import('child_process'); exec(openCmd)` → Document browser opening behavior in SKILL.md for transparency, or use a platform-appropriate library like 'open' package	`src/index.ts:107`
Low	API key stored in plaintext config file The API key is stored in ~/.config/vanio/config.json without encryption. While standard for CLI tools, this could be improved with OS keychain integration. `writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2))` → Consider using OS-native credential storage (Keychain on macOS, Keyring on Linux) for enhanced security	`src/index.ts:18`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	src/index.ts:14-15 writes to ~/.config/vanio/config.json for API key persistence
Network	`WRITE`	`WRITE`	✓ Aligned	src/index.ts:54-66 POSTs to api.vanio.ai with API key header
Shell	`NONE`	`WRITE`	✓ Aligned	src/index.ts:107-111 uses child_process.exec to open browser URL for OAuth — not…

3 findings

🔗

Medium External URL 外部 URL

https://www.vanio.ai

SKILL.md:5

🔗

Medium External URL 外部 URL

https://api.vanio.ai

dist/index.cjs:2

🔗

Medium External URL 外部 URL

http://127.0.0.1

dist/index.cjs:2

File Tree

5 files · 23.8 KB · 584 lines

TypeScript 1f · 377L Markdown 1f · 118L JavaScript 2f · 72L JSON 1f · 17L

├─ ▾ 📁 dist

│ └─ 📜 index.cjs JavaScript 50L · 7.4 KB

├─ ▾ 📁 src

│ └─ 📜 index.ts TypeScript 377L · 11.4 KB

├─ 📜 build.mjs JavaScript 22L · 559 B

├─ 📋 package.json JSON 17L · 518 B

└─ 📝 SKILL.md Markdown 118L · 4.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`none`	`N/A`	bundled	No	No external dependencies — uses only Node.js built-in modules (fs, path, os, http, crypto, child_process)

Security Positives

✓ CSRF protection implemented via state parameter in OAuth callback

✓ API key masked in console output (only first 8 chars shown)

✓ Config stored in user's home directory with appropriate path (~/.config/vanio/)

✓ HTTPS enforced for all API communications

✓ No dependencies with known vulnerabilities (package.json has no external dependencies)

✓ OAuth callback server binds to 127.0.0.1 only, not exposed externally

✓ API key sourced from environment variable with fallback to config file

✓ No credential exfiltration or suspicious network destinations beyond declared API endpoint

✓ Source code is readable TypeScript with clear, standard patterns

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives