← Back to Skills Marketplace

Remnawave Robot

Name: Remnawave Robot
Author: uepuer

by uepuer · GitHub ↗ · v1.0.6 · MIT-0

cross-platform ⚠ suspicious

218

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install remnawave-robot

Description

自动化管理Remnawave账号全生命周期，支持配置向导、账号创建、分组同步、账号查询、删除及批量操作，并发送邮件通知。

Usage Guidance

This package appears to implement the described Remnawave account-management functions, but it has practical and security issues you should address before installing or running it: - Expect to provide two sensitive credentials: a Remnawave API token and SMTP credentials (username/password). The skill metadata did NOT list these — treat that as a red flag and verify externally before trusting the package. - The scripts read/write ../../.env (workspace-level .env). That file may be shared by other tools; don't point this skill at a .env that contains unrelated secrets. Prefer a dedicated credentials file or isolated test workspace. - SMTP credentials are kept in config/smtp.json in plaintext (though files are chmod 600). Consider using a dedicated mailbox with minimal privileges or an app-specific credential rather than a primary admin mailbox. - Default/config examples suggest disabling SSL verification and an API base using a raw IP address; avoid setting sslRejectUnauthorized=true in production and confirm the API endpoint is legitimate. - Several templates and docs reference external domains (datat.cc, third-party download URLs). Validate those URLs independently — they may host subscription links or third-party binaries. - Run the code first in an isolated test environment (non-production account, isolated workspace) and audit the files it writes (../../.env and logs) before using on real production secrets. - If you proceed, consider editing setup.js to change the .env path to a skill-local secure store, or store the REMNAWAVE_API_TOKEN in a dedicated credential manager rather than workspace .env. If you want, I can produce a short checklist and safe setup steps (how to run in an isolated folder, how to create and use a throwaway SMTP account, or a suggested patch to avoid writing to ../../.env).

Capability Analysis

Type: OpenClaw Skill Name: remnawave-robot Version: 1.0.6 The bundle is an automation toolkit for managing Remnawave VPN accounts, squads, and email notifications. It handles sensitive credentials, including API tokens and SMTP passwords, storing them in local configuration files (e.g., `config/smtp.json` and `.env`). While the scripts appear to be legitimate administrative tools, they contain high-risk behaviors and vulnerabilities: the `setup.js` and `remnawave.json` files allow for disabling SSL certificate verification (`sslRejectUnauthorized: false`), and the `fix-zoho-smtp.sh` script explicitly prints the entire SMTP configuration—including plaintext passwords—to the console. These practices expose sensitive credentials to the agent's execution logs and increase the risk of man-in-the-middle attacks.

Capability Assessment

ℹ Purpose & Capability

The repository implements Remnawave account lifecycle operations (create/search/sync/delete/add-to-group, send email), which matches the skill description. However the skill metadata declared no required env vars / credentials while the code clearly requires an API token and SMTP credentials (it reads ../../.env for REMNAWAVE_API_TOKEN and config/smtp.json for SMTP). This metadata omission is an incoherence you should be aware of.

⚠ Instruction Scope

SKILL.md tells the operator to run setup.js and other scripts; the runtime instructions map to the provided scripts. But the docs and scripts encourage disabling SSL verification for a default API IP (apiBaseUrl default is an IP: 8.212.8.43 and sslRejectUnauthorized can be set true), which weakens TLS security. The code reads and writes ../../.env and writes logs under ../../logs (outside the skill folder), increasing the chance of touching shared files. Templates and docs include external subscription links (e.g., datat.cc and other domains) — verify those endpoints.

✓ Install Mechanism

No external download/install spec; the package is instruction + code with a single npm dependency (nodemailer). No obscure remote install URLs or archive extraction were observed. You must run npm install locally to fetch nodemailer from the public registry (expected).

⚠ Credentials

The skill requires sensitive secrets in practice (Remnawave API token and SMTP username/password) but the registry metadata did not declare them. The code stores/reads credentials in files: config/smtp.json (contains SMTP auth) and ../../.env (REMNAWAVE_API_TOKEN). Storing plaintext SMTP credentials in config and writing/reading a workspace-level .env file can expose secrets to other tools or skills sharing that workspace.

ℹ Persistence & Privilege

Skill does not request always:true and does not alter other skills' configs. However it writes outside its own directory (../../.env and ../../logs/...), which gives it persistent footprint in the workspace root — this is allowed for configuration but increases attack surface if the workspace .env contains other secrets or is shared.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install remnawave-robot
After installation, invoke the skill by name or use /remnawave-robot
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.6

完全复制旧脚本的邮件发送逻辑，确保与旧代码 100% 一致

v1.0.5

修复邮件模板（使用完整 HTML 模板和所有必需变量）

v1.0.4

修复邮件发送问题（from 字段格式和 text 字段）

v1.0.3

修复邮件发送问题，新增补发脚本和故障排查指南

v1.0.2

修复邮件发送失败处理和订阅地址显示问题

v1.0.1

修复流量重置策略映射和 HTTP 状态码判断问题

v1.0.0

- Initial release of Remnawave Robot, an all-in-one tool for automated Remnawave account lifecycle management. - Includes interactive setup wizard for configuration. - Supports automated account creation, group management (sync/add/set/remove), account search, and deletion. - Enables batch operations such as bulk creation and modification. - Provides email notifications for account events and maintains a complete operation log. - Ensures security with credential encryption and strict permission controls.

Metadata

Slug remnawave-robot

Version 1.0.6

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 7

Frequently Asked Questions

What is Remnawave Robot?

自动化管理Remnawave账号全生命周期，支持配置向导、账号创建、分组同步、账号查询、删除及批量操作，并发送邮件通知。 It is an AI Agent Skill for Claude Code / OpenClaw, with 218 downloads so far.

How do I install Remnawave Robot?

Run "/install remnawave-robot" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Remnawave Robot free?

Yes, Remnawave Robot is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Remnawave Robot support?

Remnawave Robot is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Remnawave Robot?

It is built and maintained by uepuer (@uepuer); the current version is v1.0.6.

More Skills