Kunwu Builder (坤吾工业仿真软件控制技能) Security Report — Low Risk | ClawSafe

10 /100

Kunwu Builder (坤吾工业仿真软件控制技能)

HTTP API client for Kunwu Builder industrial simulation software — controls robot models, gripper behaviors, assembly, and scene management

This is a legitimate HTTP API client for Kunwu Builder industrial simulation software with no malicious behavior. Only minor documentation inconsistencies and hardcoded private IPs in test files were identified, with no actual security impact.

Skill NameKunwu Builder (坤吾工业仿真软件控制技能)

Duration77.2s

Enginepi

✓

Safe to install

Approve for use. Consider updating test files to consistently use environment variables instead of hardcoded private IPs, and fix the deprecated /model/download endpoint reference in EXPORT-GUIDE.md.

Findings 3 items

Severity	Finding	Location
Low	Deprecated API endpoint still referenced in EXPORT-GUIDE.md Doc Mismatch EXPORT-GUIDE.md line 99 references /model/download endpoint which was removed from SKILL.md as of 2026-03-20. This is a documentation inconsistency without security impact since the code no longer calls this endpoint. `/model/download` → Update EXPORT-GUIDE.md to remove /model/download reference and use /model/create + checkFromCloud:true instead	`EXPORT-GUIDE.md:99`
Low	kunwu_call tool not formally declared in SKILL.md capability section Doc Mismatch SKILL.md uses the kunwu_call tool in examples but does not explicitly declare it as an HTTP POST tool with network:READ capability. The tool name matches the pattern of an LLM tool wrapper. ### `kunwu_call` → Add a capability declaration section at the top of SKILL.md listing allowed tools (kunwu_call as HTTP POST, with network:READ)	`SKILL.md:1`
Info	Hardcoded private IP addresses in test files Sensitive Access Multiple test-*.js files hardcode private IP addresses (100.85.119.45, 192.168.176.1, 192.168.30.9) as BASE_URL defaults. While these are private IPs appropriate for industrial networks, hardcoding different IPs across test files creates inconsistency. The main kunwu-tool.js uses KUNWU_API_URL env var as the primary method. `const BASE_URL = process.env.KUNWU_API_URL \|\| 'http://100.85.119.45:16888'` → Ensure all test files consistently read KUNWU_API_URL and remove hardcoded fallback IPs for production deployment	`test-*.js, kunwu-tool.js:11`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	kunwu-tool.js:11 - http.request() to configurable API endpoint; SKILL.md declare…
Filesystem	`NONE`	`NONE`	—	scripts/model-loader.js:fs.readFileSync() only reads local JSON model config fil…
Shell	`NONE`	`NONE`	—	grep confirmed: no child_process, exec, spawn, or shell execution patterns in an…
Environment	`READ`	`READ`	✓ Aligned	kunwu-tool.js:11 - reads KUNWU_API_URL; no iteration over os.environ for secrets
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation patterns found
Clipboard	`NONE`	`NONE`	—	No clipboard API usage
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

1 High 5 findings

📡

High IP Address 硬编码 IP 地址

100.85.119.45

EXPORT-GUIDE.md:77

🔗

Medium External URL 外部 URL

http://127.0.0.1:16888

EXPORT-GUIDE.md:74

🔗

Medium External URL 外部 URL

http://100.85.119.45:16888

EXPORT-GUIDE.md:77

🔗

Medium External URL 外部 URL

http://127.0.0.1:16888/system/ping

EXPORT-GUIDE.md:257

🔗

Medium External URL 外部 URL

http://192.168.30.9:16888

SKILL.md:9

File Tree

72 files · 403.3 KB · 13767 lines

JavaScript 58f · 10860L Markdown 11f · 2789L JSON 3f · 118L

├─ ▾ 📁 scripts

│ ├─ 📜 model-loader.js JavaScript 242L · 6.3 KB

│ ├─ 📋 models-dual-robot-trays.json JSON 73L · 1.4 KB

│ └─ 📋 models-example.json JSON 28L · 503 B

├─ ▾ 📁 tests-deprecated

│ ├─ 📜 test-download-debug.js JavaScript 102L · 2.7 KB

│ ├─ 📜 test-download-direct.js JavaScript 78L · 2.0 KB

│ ├─ 📜 test-download-local.js JavaScript 64L · 2.0 KB

│ ├─ 📜 test-download-one-gripper.js JavaScript 116L · 3.4 KB

│ └─ 📜 test-download-with-path.js JavaScript 135L · 4.0 KB

├─ 📝 api-reference.md Markdown 133L · 3.4 KB

├─ 📜 auto-gripper-behavior.js JavaScript 140L · 5.1 KB

├─ 📝 EXPORT-GUIDE.md Markdown 303L · 8.1 KB

├─ 📝 INDUSTRIAL-PATTERNS.md Markdown 365L · 7.6 KB

├─ 📜 kunwu-tool.js JavaScript 1180L · 31.2 KB

├─ 📝 MIGRATION-2026-03-20.md Markdown 94L · 2.7 KB

├─ 📋 package.json JSON 17L · 453 B

├─ 📝 QUICKSTART.md Markdown 113L · 2.5 KB

├─ 📝 README.md Markdown 104L · 2.1 KB

├─ 📝 SKILL_USAGE.md Markdown 697L · 20.8 KB

├─ 📝 SKILL.md Markdown 484L · 13.2 KB

├─ 📜 task-builder.js JavaScript 491L · 12.8 KB

├─ 📜 test-50-rounds.js JavaScript 254L · 8.7 KB

├─ 📜 test-add-behavior-child.js JavaScript 94L · 2.9 KB

├─ 📜 test-add-rotate-x.js JavaScript 103L · 3.0 KB

├─ 📜 test-all-grippers-final.js JavaScript 283L · 8.4 KB

├─ 📜 test-asm-demo.js JavaScript 165L · 5.8 KB

├─ 📜 test-asm-quick.js JavaScript 143L · 4.4 KB

├─ 📜 test-asm-v4.js JavaScript 154L · 4.6 KB

├─ 📜 test-assemble-correct.js JavaScript 220L · 8.0 KB

├─ 📜 test-assemble-existing.js JavaScript 179L · 6.2 KB

├─ 📜 test-assemble-final-correct.js JavaScript 201L · 7.0 KB

├─ 📜 test-assemble-final.js JavaScript 198L · 6.9 KB

├─ 📜 test-assemble-smart.js JavaScript 375L · 11.5 KB

├─ 📜 test-assemble-with-create.js JavaScript 231L · 7.4 KB

├─ 📜 test-assemble.js JavaScript 255L · 7.9 KB

├─ 📜 test-auto-wait-wrapper.js JavaScript 153L · 4.8 KB

├─ 📜 test-behavior-v2.js JavaScript 130L · 3.7 KB

├─ 📜 test-behavior.js JavaScript 135L · 4.2 KB

├─ 📜 test-bracket-workaround.js JavaScript 162L · 4.9 KB

├─ 📜 test-camera-bracket-assemble.js JavaScript 264L · 8.7 KB

├─ 📜 test-check-all-tasks.js JavaScript 79L · 1.9 KB

├─ 📜 test-check-existing.js JavaScript 63L · 1.7 KB

├─ 📜 test-check-grippers.js JavaScript 96L · 2.4 KB

├─ 📜 test-connection-kunwu.js JavaScript 64L · 1.6 KB

├─ 📜 test-create-gripper.js JavaScript 129L · 3.7 KB

├─ 📜 test-create-model.js JavaScript 66L · 1.7 KB

├─ 📜 test-debug-task.js JavaScript 43L · 1.1 KB

├─ 📜 test-final-assemble.js JavaScript 170L · 5.1 KB

├─ 📜 test-final-report.js JavaScript 99L · 3.0 KB

├─ 📜 test-find-child.js JavaScript 87L · 2.3 KB

├─ 📜 test-full.js JavaScript 66L · 1.9 KB

├─ 📜 test-gripper-download-debug.js JavaScript 95L · 2.4 KB

├─ 📜 test-gripper-result.js JavaScript 114L · 3.1 KB

├─ 📜 test-grippers-behavior.js JavaScript 278L · 8.2 KB

├─ 📜 test-local-library.js JavaScript 39L · 1.1 KB

├─ 📜 test-new-apis.js JavaScript 133L · 4.4 KB

├─ 📜 test-pick-sort-final.js JavaScript 187L · 6.4 KB

├─ 📜 test-pick-sort-scene.js JavaScript 194L · 6.3 KB

├─ 📜 test-pick-sort-simple.js JavaScript 235L · 7.2 KB

├─ 📜 test-pick-sort-v2.js JavaScript 258L · 8.0 KB

├─ 📜 test-pick-sort-v3.js JavaScript 246L · 7.5 KB

├─ 📜 test-proper-assemble.js JavaScript 224L · 6.9 KB

├─ 📜 test-query-task.js JavaScript 25L · 591 B

├─ 📜 test-remote-camera.js JavaScript 119L · 3.4 KB

├─ 📝 TEST-REPORT.md Markdown 146L · 4.6 KB

├─ 📜 test-robot-asm-final.js JavaScript 202L · 6.7 KB

├─ 📜 test-robot-asm-v2.js JavaScript 134L · 4.1 KB

├─ 📜 test-robot-asm-v3.js JavaScript 178L · 5.6 KB

├─ 📜 test-robot-assembly.js JavaScript 225L · 7.6 KB

├─ 📜 test-scene-dual-robot.js JavaScript 288L · 8.8 KB

├─ 📜 test-smart-rounds.js JavaScript 477L · 13.4 KB

├─ 📝 TODO-APIS.md Markdown 151L · 4.0 KB

└─ 📝 UPDATE-SUMMARY.md Markdown 199L · 5.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`none (pure Node.js built-ins)`	`N/A`	built-in	No	Only uses Node.js built-in modules: http, fs, path — no external npm packages

Security Positives

✓ No shell execution, child_process, or subprocess usage found — only Node.js built-in http module

✓ No credential harvesting, password/token theft, or environment variable iteration for secrets

✓ No base64 obfuscation, eval(), Function(), or anti-analysis patterns

✓ No data exfiltration, C2 communication, or outbound data transfer beyond declared simulation API

✓ No sensitive file access (~/.ssh, ~/.aws, .env files)

✓ No persistence mechanisms (cron, startup hooks, backdoors)

✓ No prompt injection or jailbreak instructions

✓ No supply chain risks — package.json has no external dependencies (pure Node.js built-ins only)

✓ API URL is configurable via KUNWU_API_URL environment variable, not hardcoded as the sole option in main tool

✓ All code is readable, well-commented, and performs expected industrial simulation control operations

✓ No downloads or remote script execution (curl|bash, wget|sh patterns absent)

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives