critical
suspicious.env_credential_access
- Location
- kunwu-tool.js:11
- Finding
- Environment variable access combined with network send.
Kunwu Builder
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access, suspicious.exposed_resource_identifier
Findings (24)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
If the user does not override the endpoint, the agent could send commands or receive scene data from a non-local Kunwu Builder instance.
Why it was flagged
All API calls default to a hard-coded plaintext private/Tailscale-range address unless overridden. That creates an unclear service boundary for scene, robot, camera, model, and equipment-control traffic.
Skill content
const BASE_URL = process.env.KUNWU_API_URL || 'http://100.85.119.45:16888';
Recommendation
Default to localhost or require the user to set KUNWU_API_URL explicitly; clearly declare the environment variable and reject non-local endpoints unless the user approves them.
ConcernHigh Confidence
ASI09: Human-Agent Trust ExploitationWhat this means
A user may trust the skill as local-only while its default client can target a different private-network host.
Why it was flagged
This local-only claim conflicts with supplied code and examples that use non-local private addresses, so users may incorrectly assume the skill only talks to their own local machine.
Skill content
本地访问:API 仅允许本地连接(127.0.0.1)
Recommendation
Make the documentation match the code, remove hard-coded remote defaults, and prominently warn users to verify the target API URL before use.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
A mistaken or overly autonomous agent action could delete models, reset scenes, or otherwise alter the Kunwu simulation unexpectedly.
Why it was flagged
The skill documents direct access to destructive model operations through a generic endpoint/data tool, with no visible confirmation gate or scoped allowlist in the supplied artifacts.
Skill content
kunwu_call endpoint="/model/destroy" data='{"id":"modelId","useModeId":true}'Recommendation
Require explicit user confirmation for destructive, reset, bulk, robot-motion, and equipment-control actions; prefer safer named workflows over arbitrary endpoint calls.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Using model creation may download third-party or cloud-hosted model assets into the Kunwu environment.
Why it was flagged
The model-loading workflow can cause Kunwu Builder to fetch models from a cloud source when local models are missing. This is disclosed and purpose-aligned, but users should understand the remote dependency.
Skill content
`checkFromCloud: true` → 本地有直接加载(快速),本地没有自动从云端下载
Recommendation
Use trusted model IDs, document the cloud source, and set checkFromCloud to false when a local-only workflow is required.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
Running the helper script can create or modify multiple models in the configured Kunwu Builder instance.
Why it was flagged
The skill documents running local Node.js helper scripts for batch model loading. This is expected for the skill, but it is local code execution and can mutate the target scene.
Skill content
node scripts/model-loader.js models.json
Recommendation
Run helper scripts manually after reviewing the endpoint and input JSON; the package should declare Node.js as a runtime requirement.
Findings (24)
critical
suspicious.env_credential_access
- Location
- scripts/model-loader.js:25
- Finding
- Environment variable access combined with network send.
critical
suspicious.env_credential_access
- Location
- test-full.js:5
- Finding
- Environment variable access combined with network send.
critical
suspicious.exposed_resource_identifier
- Location
- EXPORT-GUIDE.md:77
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- kunwu-tool.js:11
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- test-all-grippers-final.js:12
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- test-assemble-with-create.js:10
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- test-bracket-workaround.js:10
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- test-camera-bracket-assemble.js:24
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- test-check-all-tasks.js:9
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- test-check-grippers.js:9
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- test-create-gripper.js:9
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- test-final-assemble.js:9
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- test-final-report.js:9
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- test-gripper-download-debug.js:9
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- test-gripper-result.js:9
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- test-grippers-behavior.js:17
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- test-pick-sort-scene.js:10
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- test-proper-assemble.js:14
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- test-remote-camera.js:9
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- tests-deprecated/test-download-debug.js:9
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- tests-deprecated/test-download-direct.js:9
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- tests-deprecated/test-download-one-gripper.js:9
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.
critical
suspicious.exposed_resource_identifier
- Location
- tests-deprecated/test-download-with-path.js:9
- Finding
- Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.