中文 EN
开始可信审查
安全决策报告

remnawave-robot

Skill manages VPN account lifecycle with legitimate functionality but exhibits concerning patterns: hardcoded IP endpoint, SSL verification disabled, and suspicious external subscription URLs embedded in documentation.

安装决策优先 来源: 手动上传 扫描时间: 2026/4/4
文件 23
IOC 20
越权项 0
发现 4
最直接的威胁证据
高危 IP 地址
8.212.8.43

为什么得出这个结论

1/4 个维度触发
通过
声明与实际能力

声明资源与推断能力基本一致。

阻止
隐藏执行与外联

提取到 1 个高危 IOC 或外联信号。

通过
攻击链与高危发现

没有形成明确的恶意路径。

复核
依赖与供应链卫生

发现 1 项需要关注的依赖或供应链线索。

风险分是怎么被拉高的

Hardcoded IP address as default API endpoint +15

8.212.8.43 used as default Remnawave API URL in setup and docs

SSL verification disabled by default +15

sslRejectUnauthorized: false in config, accepts self-signed certs

Suspicious external subscription URLs +10

datat.cc URLs with 'crypto-link' path embedded in SMTP-FIX.md

API token stored in .env at parent directory +5

ENV_FILE references ../../.env, configuration access documented

最关键的证据

中危 敏感访问

Hardcoded IP address as default API endpoint

The Remnawave API address defaults to raw IP 8.212.8.43 instead of a domain name. This is suspicious for a production service.

setup.js:148
Use a proper domain name. If this is a self-hosted instance, document why IP is used instead of hostname.
中危 敏感访问

SSL certificate verification disabled by default

Configuration sets sslRejectUnauthorized to true (ignoring SSL errors) which allows MITM attacks against the API connection.

setup.js:158
Enable SSL verification unless self-signed certs are genuinely required. Document the security implication.
中危 文档欺骗

Suspicious subscription URLs in documentation

SMTP-FIX.md contains URLs to datat.cc domain with 'crypto-link' path - these are the actual subscription URLs being distributed to users. The domain naming is suspicious.

SMTP-FIX.md:176
Verify these are legitimate VPN subscription endpoints. Document the subscription service being used.
低危 权限提升

Configuration stored in parent directory .env

The API token is stored in ../../.env rather than within the skill directory, giving broader filesystem access scope.

create-account.js:39
Document why parent directory access is needed and ensure .env is not committed to version control.

声明能力 vs 实际能力

文件系统 通过
声明 READ
推断 READ
Reads .env and config JSON files for credential access
网络访问 通过
声明 READ
推断 READ
HTTPS requests to Remnawave API and SMTP servers
命令执行 通过
声明 NONE
推断 NONE
No shell execution in main JS scripts

可疑产物与外联

高危 IP 地址
8.212.8.43

PUBLISH-SUMMARY.md:138

中危 外部 URL
https://8.212.8.43

PUBLISH-SUMMARY.md:138

中危 外部 URL
https://mail.zoho.com

SMTP-FIX.md:50

中危 外部 URL
https://46force235a-6cb1-crypto-link.datat.cc/api/sub/wBMXavTEzFbxxY57

SMTP-FIX.md:176

中危 外部 URL
https://46force235a-6cb1-crypto-link.datat.cc/api/sub/_6z3BUw1Ca5dqH0d

SMTP-FIX.md:184

中危 外部 URL
https://rjdx19yd9zo.sg.larksuite.com/docx/EwMLdN3asoQ44FxOlN6lQ6frgdh?from=from_copylink

create-account.js:186

中危 外部 URL
https://v2raytun.com/

create-account.js:187

中危 外部 URL
https://testappdownload-bydtmscom.oss-cn-hongkong.aliyuncs.com/OPSFILE/v2RayTun_Setup.zip

create-account.js:188

中危 外部 URL
https://apps.apple.com/us/app/v2raytun/id6476628951

create-account.js:189

中危 外部 URL
https://sub.example.com/xxx

templates/account-created.md:15

中危 外部 URL
https://apps.apple.com/...

templates/account-created.md:19

提示 邮箱
[email protected]

PUBLISH-SUMMARY.md:106

依赖与供应链

包名版本来源漏洞备注
nodemailer ^8.0.2 npm Version not pinned (caret range)

文件构成

23 个文件 · 3279 行
JavaScript 12 个文件 · 1688 行Markdown 8 个文件 · 1439 行Shell 1 个文件 · 97 行JSON 2 个文件 · 55 行
需关注文件 · 5
create-account.js JavaScript · 354 行
Configuration stored in parent directory .env · https://rjdx19yd9zo.sg.larksuite.com/docx/EwMLdN3asoQ44FxOlN6lQ6frgdh?from=from_copylink · https://v2raytun.com/ · https://testappdownload-bydtmscom.oss-cn-hongkong.aliyuncs.com/OPSFILE/v2RayTun_Setup.zip · https://apps.apple.com/us/app/v2raytun/id6476628951
PUBLISH-SUMMARY.md Markdown · 346 行
8.212.8.43 · https://8.212.8.43 · [email protected] · [email protected]
setup.js JavaScript · 315 行
Hardcoded IP address as default API endpoint · SSL certificate verification disabled by default
templates/account-created.md Markdown · 139 行
https://sub.example.com/xxx · https://apps.apple.com/... · [email protected]
SMTP-FIX.md Markdown · 240 行
Suspicious subscription URLs in documentation · https://mail.zoho.com · https://46force235a-6cb1-crypto-link.datat.cc/api/sub/wBMXavTEzFbxxY57 · https://46force235a-6cb1-crypto-link.datat.cc/api/sub/_6z3BUw1Ca5dqH0d · [email protected] · [email protected] · [email protected] · [email protected] · [email protected]
其他文件 · SKILL.md · 技能检查报告-2026-03-18.md · test-config.js · add-to-squad.js · send-account-email.js · resend-email.js +1

安全亮点

Credentials stored with 0600 permissions (chmod 0o600)
No base64-encoded payloads or obfuscated code
No reverse shell or C2 infrastructure detected
Uses standard HTTPS for API and SMTP connections
No credential exfiltration attempts detected
No unauthorized SSH/AWS credential access
Shell script (fix-zoho-smtp.sh) is a diagnostic tool, not a persistence mechanism