remnawave-robot 安全扫描报告 — 可疑 | ClawSafe

45 /100

remnawave-robot

Remnawave 账号全生命周期自动化管理 - VPN account lifecycle automation

Skill manages VPN account lifecycle with legitimate functionality but exhibits concerning patterns: hardcoded IP endpoint, SSL verification disabled, and suspicious external subscription URLs embedded in documentation.

技能名称remnawave-robot

分析耗时39.7s

引擎pi

⚠

谨慎使用

Review hardcoded IP 8.212.8.43 and verify legitimacy of datat.cc subscription URLs. Consider using domain names instead of raw IPs and enabling SSL verification.

安全发现 4 项

严重性	安全发现	位置
中危	Hardcoded IP address as default API endpoint 敏感访问 The Remnawave API address defaults to raw IP 8.212.8.43 instead of a domain name. This is suspicious for a production service. `const apiBaseUrl = await askQuestion('Remnawave API 地址', 'https://8.212.8.43');` → Use a proper domain name. If this is a self-hosted instance, document why IP is used instead of hostname.	`setup.js:148`
中危	SSL certificate verification disabled by default 敏感访问 Configuration sets sslRejectUnauthorized to true (ignoring SSL errors) which allows MITM attacks against the API connection. `sslRejectUnauthorized: sslReject.toLowerCase() === 'true'` → Enable SSL verification unless self-signed certs are genuinely required. Document the security implication.	`setup.js:158`
中危	Suspicious subscription URLs in documentation 文档欺骗 SMTP-FIX.md contains URLs to datat.cc domain with 'crypto-link' path - these are the actual subscription URLs being distributed to users. The domain naming is suspicious. `https://46force235a-6cb1-crypto-link.datat.cc/api/sub/wBMXavTEzFbxxY57` → Verify these are legitimate VPN subscription endpoints. Document the subscription service being used.	`SMTP-FIX.md:176`
低危	Configuration stored in parent directory .env 权限提升 The API token is stored in ../../.env rather than within the skill directory, giving broader filesystem access scope. `const ENV_FILE = path.join(__dirname, '../../.env');` → Document why parent directory access is needed and ensure .env is not committed to version control.	`create-account.js:39`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	Reads .env and config JSON files for credential access
网络访问	`READ`	`READ`	✓ 一致	HTTPS requests to Remnawave API and SMTP servers
命令执行	`NONE`	`NONE`	—	No shell execution in main JS scripts

1 高危 20 项发现

📡

高危 IP 地址硬编码 IP 地址

8.212.8.43

PUBLISH-SUMMARY.md:138

🔗

中危外部 URL 外部 URL

https://8.212.8.43

PUBLISH-SUMMARY.md:138

🔗

中危外部 URL 外部 URL

https://mail.zoho.com

SMTP-FIX.md:50

🔗

中危外部 URL 外部 URL

https://46force235a-6cb1-crypto-link.datat.cc/api/sub/wBMXavTEzFbxxY57

SMTP-FIX.md:176

🔗

中危外部 URL 外部 URL

https://46force235a-6cb1-crypto-link.datat.cc/api/sub/_6z3BUw1Ca5dqH0d

SMTP-FIX.md:184

🔗

中危外部 URL 外部 URL

https://rjdx19yd9zo.sg.larksuite.com/docx/EwMLdN3asoQ44FxOlN6lQ6frgdh?from=from_copylink

create-account.js:186

🔗

中危外部 URL 外部 URL

https://v2raytun.com/

create-account.js:187

🔗

中危外部 URL 外部 URL

https://testappdownload-bydtmscom.oss-cn-hongkong.aliyuncs.com/OPSFILE/v2RayTun_Setup.zip

create-account.js:188

🔗

中危外部 URL 外部 URL

https://apps.apple.com/us/app/v2raytun/id6476628951

create-account.js:189

🔗

中危外部 URL 外部 URL

https://sub.example.com/xxx

templates/account-created.md:15

🔗

中危外部 URL 外部 URL

https://apps.apple.com/...

templates/account-created.md:19

📧

提示邮箱邮箱地址

[email protected]

PUBLISH-SUMMARY.md:106

📧

提示邮箱邮箱地址

[email protected]

PUBLISH-SUMMARY.md:108

📧

提示邮箱邮箱地址

[email protected]

README.md:71

📧

提示邮箱邮箱地址

[email protected]

SMTP-FIX.md:87

📧

提示邮箱邮箱地址

[email protected]

SMTP-FIX.md:175

📧

提示邮箱邮箱地址

[email protected]

SMTP-FIX.md:205

📧

提示邮箱邮箱地址

[email protected]

SMTP-FIX.md:215

📧

提示邮箱邮箱地址

[email protected]

SMTP-FIX.md:234

📧

提示邮箱邮箱地址

[email protected]

templates/account-created.md:13

目录结构

23 文件 · 86.4 KB · 3279 行

JavaScript 12f · 1688L Markdown 8f · 1439L Shell 1f · 97L JSON 2f · 55L

├─ ▾ 📁 templates

│ └─ 📝 account-created.md Markdown 139L · 4.8 KB

├─ 📜 add-to-squad.js JavaScript 140L · 4.2 KB

├─ 📜 create-account.js JavaScript 354L · 11.4 KB

├─ 📜 delete-account.js JavaScript 108L · 3.0 KB

├─ 🔧 fix-zoho-smtp.sh Shell 97L · 3.0 KB

├─ 📜 get-squads.js JavaScript 97L · 2.7 KB

├─ 📝 manual-email-west-pc.md Markdown 68L · 1.6 KB

├─ 📋 package-lock.json JSON 25L · 626 B

├─ 📋 package.json JSON 30L · 793 B

├─ 📝 PUBLISH-SUMMARY.md Markdown 346L · 7.8 KB

├─ 📝 README.md Markdown 116L · 2.3 KB

├─ 📜 resend-email.js JavaScript 97L · 3.3 KB

├─ 📜 search-account.js JavaScript 99L · 2.9 KB

├─ 📜 send-account-email.js JavaScript 122L · 3.7 KB

├─ 📜 setup.js JavaScript 315L · 7.8 KB

├─ 📝 SKILL.md Markdown 289L · 5.9 KB

├─ 📝 SMTP-FIX.md Markdown 240L · 4.6 KB

├─ 📜 sync-squads.js JavaScript 98L · 2.7 KB

├─ 📜 test-config.js JavaScript 166L · 4.8 KB

├─ 📜 test-email.js JavaScript 48L · 1.5 KB

├─ 📜 test-smtp-direct.js JavaScript 44L · 1.3 KB

├─ 📝 技能检查报告 -2026-03-18.md Markdown 8L · 290 B

└─ 📝 技能检查报告-2026-03-18.md Markdown 233L · 5.7 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`nodemailer`	`^8.0.2`	npm	否	Version not pinned (caret range)

安全亮点

✓ Credentials stored with 0600 permissions (chmod 0o600)

✓ No base64-encoded payloads or obfuscated code

✓ No reverse shell or C2 infrastructure detected

✓ Uses standard HTTPS for API and SMTP connections

✓ No credential exfiltration attempts detected

✓ No unauthorized SSH/AWS credential access

✓ Shell script (fix-zoho-smtp.sh) is a diagnostic tool, not a persistence mechanism