Remnawave Robot

自动化管理Remnawave账号全生命周期，支持配置向导、账号创建、分组同步、账号查询、删除及批量操作，并发送邮件通知。

This package appears to implement the described Remnawave account-management functions, but it has practical and security issues you should address before installing or running it: - Expect to provide two sensitive credentials: a Remnawave API token and SMTP credentials (username/password). The skill metadata did NOT list these — treat that as a red flag and verify externally before trusting the package. - The scripts read/write ../../.env (workspace-level .env). That file may be shared by other tools; don't point this skill at a .env that contains unrelated secrets. Prefer a dedicated credentials file or isolated test workspace. - SMTP credentials are kept in config/smtp.json in plaintext (though files are chmod 600). Consider using a dedicated mailbox with minimal privileges or an app-specific credential rather than a primary admin mailbox. - Default/config examples suggest disabling SSL verification and an API base using a raw IP address; avoid setting sslRejectUnauthorized=true in production and confirm the API endpoint is legitimate. - Several templates and docs reference external domains (datat.cc, third-party download URLs). Validate those URLs independently — they may host subscription links or third-party binaries. - Run the code first in an isolated test environment (non-production account, isolated workspace) and audit the files it writes (../../.env and logs) before using on real production secrets. - If you proceed, consider editing setup.js to change the .env path to a skill-local secure store, or store the REMNAWAVE_API_TOKEN in a dedicated credential manager rather than workspace .env. If you want, I can produce a short checklist and safe setup steps (how to run in an isolated folder, how to create and use a throwaway SMTP account, or a suggested patch to avoid writing to ../../.env).

Type: OpenClaw Skill Name: remnawave-robot Version: 1.0.6 The bundle is an automation toolkit for managing Remnawave VPN accounts, squads, and email notifications. It handles sensitive credentials, including API tokens and SMTP passwords, storing them in local configuration files (e.g., `config/smtp.json` and `.env`). While the scripts appear to be legitimate administrative tools, they contain high-risk behaviors and vulnerabilities: the `setup.js` and `remnawave.json` files allow for disabling SSL certificate verification (`sslRejectUnauthorized: false`), and the `fix-zoho-smtp.sh` script explicitly prints the entire SMTP configuration—including plaintext passwords—to the console. These practices expose sensitive credentials to the agent's execution logs and increase the risk of man-in-the-middle attacks.