Skill Trust Decision
remnawave-robot
Skill manages VPN account lifecycle with legitimate functionality but exhibits concerning patterns: hardcoded IP endpoint, SSL verification disabled, and suspicious external subscription URLs embedded in documentation.
Most direct threat evidence
High IP Address
8.212.8.43 Why this conclusion was reached
1/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Block
Hidden execution and egress
1 high-risk artifacts or egress signals were extracted.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
What drove the risk score up
Hardcoded IP address as default API endpoint +15
8.212.8.43 used as default Remnawave API URL in setup and docs
SSL verification disabled by default +15
sslRejectUnauthorized: false in config, accepts self-signed certs
Suspicious external subscription URLs +10
datat.cc URLs with 'crypto-link' path embedded in SMTP-FIX.md
API token stored in .env at parent directory +5
ENV_FILE references ../../.env, configuration access documented
Most important evidence
Medium Sensitive Access
Hardcoded IP address as default API endpoint
The Remnawave API address defaults to raw IP 8.212.8.43 instead of a domain name. This is suspicious for a production service.
setup.js:148 Use a proper domain name. If this is a self-hosted instance, document why IP is used instead of hostname.
Medium Sensitive Access
SSL certificate verification disabled by default
Configuration sets sslRejectUnauthorized to true (ignoring SSL errors) which allows MITM attacks against the API connection.
setup.js:158 Enable SSL verification unless self-signed certs are genuinely required. Document the security implication.
Medium Doc Mismatch
Suspicious subscription URLs in documentation
SMTP-FIX.md contains URLs to datat.cc domain with 'crypto-link' path - these are the actual subscription URLs being distributed to users. The domain naming is suspicious.
SMTP-FIX.md:176 Verify these are legitimate VPN subscription endpoints. Document the subscription service being used.
Low Priv Escalation
Configuration stored in parent directory .env
The API token is stored in ../../.env rather than within the skill directory, giving broader filesystem access scope.
create-account.js:39 Document why parent directory access is needed and ensure .env is not committed to version control.
Declared capability vs actual capability
Filesystem Pass
Declared READ
→ Inferred READ
Reads .env and config JSON files for credential access Network Pass
Declared READ
→ Inferred READ
HTTPS requests to Remnawave API and SMTP servers Shell Pass
Declared NONE
→ Inferred NONE
No shell execution in main JS scripts Suspicious artifacts and egress
High IP Address
8.212.8.43 PUBLISH-SUMMARY.md:138
Medium External URL
https://8.212.8.43 PUBLISH-SUMMARY.md:138
Medium External URL
https://mail.zoho.com SMTP-FIX.md:50
Medium External URL
https://46force235a-6cb1-crypto-link.datat.cc/api/sub/wBMXavTEzFbxxY57 SMTP-FIX.md:176
Medium External URL
https://46force235a-6cb1-crypto-link.datat.cc/api/sub/_6z3BUw1Ca5dqH0d SMTP-FIX.md:184
Medium External URL
https://rjdx19yd9zo.sg.larksuite.com/docx/EwMLdN3asoQ44FxOlN6lQ6frgdh?from=from_copylink create-account.js:186
Medium External URL
https://v2raytun.com/ create-account.js:187
Medium External URL
https://testappdownload-bydtmscom.oss-cn-hongkong.aliyuncs.com/OPSFILE/v2RayTun_Setup.zip create-account.js:188
Medium External URL
https://apps.apple.com/us/app/v2raytun/id6476628951 create-account.js:189
Medium External URL
https://sub.example.com/xxx templates/account-created.md:15
Medium External URL
https://apps.apple.com/... templates/account-created.md:19
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| nodemailer | ^8.0.2 | npm | No | Version not pinned (caret range) |
File composition
23 files · 3279 lines
JavaScript 12 files · 1688 linesMarkdown 8 files · 1439 linesShell 1 files · 97 linesJSON 2 files · 55 lines
Files of concern · 5
create-account.js Configuration stored in parent directory .env · https://rjdx19yd9zo.sg.larksuite.com/docx/EwMLdN3asoQ44FxOlN6lQ6frgdh?from=from_copylink · https://v2raytun.com/ · https://testappdownload-bydtmscom.oss-cn-hongkong.aliyuncs.com/OPSFILE/v2RayTun_Setup.zip · https://apps.apple.com/us/app/v2raytun/id6476628951
PUBLISH-SUMMARY.md 8.212.8.43 · https://8.212.8.43 · [email protected] · [email protected]
setup.js Hardcoded IP address as default API endpoint · SSL certificate verification disabled by default
templates/account-created.md https://sub.example.com/xxx · https://apps.apple.com/... · [email protected]
SMTP-FIX.md Suspicious subscription URLs in documentation · https://mail.zoho.com · https://46force235a-6cb1-crypto-link.datat.cc/api/sub/wBMXavTEzFbxxY57 · https://46force235a-6cb1-crypto-link.datat.cc/api/sub/_6z3BUw1Ca5dqH0d · [email protected] · [email protected] · [email protected] · [email protected] · [email protected]
Other files · SKILL.md · 技能检查报告-2026-03-18.md · test-config.js · add-to-squad.js · send-account-email.js · resend-email.js +1
Security positives
Credentials stored with 0600 permissions (chmod 0o600)
No base64-encoded payloads or obfuscated code
No reverse shell or C2 infrastructure detected
Uses standard HTTPS for API and SMTP connections
No credential exfiltration attempts detected
No unauthorized SSH/AWS credential access
Shell script (fix-zoho-smtp.sh) is a diagnostic tool, not a persistence mechanism