ClawHub

Remnawave Account Creator

Security checks across malware telemetry and agentic risk

Overview

This skill is a real Remnawave admin automation tool, but it can create, modify, delete, search, email, and store sensitive account data with weak safeguards.

Install only in a controlled admin environment. Use least-privilege Remnawave and SMTP credentials, enable certificate verification where possible, redact subscription URLs and generated passwords from output and logs, add mandatory confirmation for create/delete/group changes, remove the automatic delete-and-retry path, and verify every recipient and CC before sending onboarding email.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (35)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script reads a bearer token from a local .env file and uses it to perform privileged API operations, but the skill provides no clear disclosure that it accesses local credentials. In an agent-skill context, silent credential access is risky because it expands capability beyond a narrowly declared task and can surprise the user or be repurposed for unauthorized API actions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script performs authenticated enumeration of the full user directory by paging through up to 50 pages of `/api/users`, then filters locally and prints usernames, email addresses, group membership, and creation dates. Even though it does not exfiltrate data externally, this is still unnecessary broad access and disclosure of user information without any visible access-control check, minimization, or clear business justification in the skill itself.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script bulk-enumerates the entire user directory, filters for a substring match, and prints account metadata including UUID, email, squad, status, traffic limits, and dates. Even if intended for administrative troubleshooting, this is an overbroad collection and disclosure pattern that increases privacy risk and makes unauthorized account discovery easier if the script is run in an inappropriate context.

Context-Inappropriate Capability

Medium
Confidence
72% confidence
Finding
The script falls back to reading a bearer token from a local workspace .env file without an explicit user prompt or strict need beyond convenience. In an agent/skill context, implicit credential loading from local files expands access to secrets and can surprise the operator, especially when combined with immediate outbound authenticated requests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly discloses the local filesystem path where the API token is stored, which materially lowers the barrier for misuse by any agent, plugin, or user with workspace access. In a skill context, this is sensitive operational guidance because it points directly to credential location without any warning about least-privilege handling, redaction, or avoiding token exfiltration.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documentation includes a destructive user-deletion endpoint with no warning about irreversible impact, authorization scope, or confirmation requirements. In an agent-oriented setting, exposing deletion as a routine operation without safeguards increases the chance of accidental or automated destructive actions against user accounts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README demonstrates account creation output that includes sensitive secrets such as UUIDs, Trojan/SS passwords, and a subscription URL, while describing automatic email transmission of account details. In an account-provisioning skill, these values are live credentials; documenting and normalizing their display and transmission without strong handling guidance increases the risk of credential leakage through terminals, logs, screenshots, shell history, or misaddressed email.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The natural-language trigger example is broad enough that a normal operational request could directly cause account provisioning and email delivery without an explicit confirmation gate. Because this skill performs high-impact external actions, ambiguous invocation increases the risk of accidental execution, unauthorized account creation, and unintended disclosure of subscription information to recipients or CC addresses.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is designed to create external service accounts and send onboarding emails, but the description does not define any mandatory user confirmation, authorization check, or warning about the consequences of execution. In this context, missing safety interlocks is dangerous because the action is irreversible enough to create real accounts, consume resources, and distribute credentials or subscription URLs to potentially incorrect recipients.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This section instructs operators to retrieve detailed account records including email, subscription address, usage history, status, and other account metadata, but provides no privacy, authorization, or data-minimization guidance. In an agent skill context, that omission can normalize broad access to personal or sensitive account data and lead to unnecessary disclosure to users or operators who are not explicitly authorized.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The curl examples demonstrate authenticated access to user records with bearer tokens and include a realistic token format, while suppressing TLS verification with '-k'. This encourages insecure handling of credentials and account data, increasing the chance of token leakage, misuse of privileged API access, and interception or exposure of sensitive user information.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The SOP provides step-by-step instructions and authenticated API examples for modifying user group assignments, but it does not clearly require authorization checks, role restrictions, approval workflow, or operator verification before changing another user's access scope. In an internal ops context, changing groups can alter entitlements or routing/access behavior, so omission of those safeguards can enable unauthorized or improper privilege changes by a user who has API access but lacks business authorization.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow explicitly includes sending account activation details by SMTP but provides no guidance on minimizing sensitive contents, verifying recipients, or protecting transmitted credentials. In an account-provisioning context, email can expose subscription links, identifiers, or operational access details to unintended recipients through misdelivery, mailbox compromise, or insecure handling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document directs operators to log into a management console at a specific administrative endpoint and perform privileged user modifications, but it lacks any warning about the sensitivity of these actions or safeguards for administrative access. In practice, this normalizes privileged console use and could lead to unauthorized changes, credential exposure, or unsafe handling of production administration tasks.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script accesses a sensitive local credential store without warning, confirmation, or explanatory documentation. In a skill setting, undisclosed credential access can violate user expectations and enables privileged remote actions using secrets the user did not knowingly authorize for this operation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script modifies remote user group membership immediately, with hard-coded target account and squad IDs, and without any confirmation or dry-run mode. In an agent environment this is more dangerous because it performs a privileged state-changing action that can alter access control and entitlements without explicit operator approval.

Missing User Warnings

High
Confidence
97% confidence
Finding
When --force-recreate or an environment variable is set, the script deletes an existing user account immediately without any confirmation step or secondary validation. In an automation context, a mistaken username, bad input, or abused environment setting can irreversibly remove the wrong account and disrupt service for legitimate users.

Missing User Warnings

High
Confidence
98% confidence
Finding
On create failure indicating the username already exists, the script automatically searches for and deletes an existing account, then retries creation, all without user confirmation. This makes a transient API error, stale search result, or username collision capable of triggering destructive account deletion unexpectedly, which is particularly dangerous in administrative account-management tooling.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script bulk-enumerates users and prints usernames, email addresses, and group membership to stdout, exposing personally identifiable and potentially sensitive organizational data. In an agent/automation context, console output may be captured by logs, terminals, CI systems, or chat transcripts, expanding the blast radius beyond the intended operator.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes account-creation details to disk, including username, email, UUID, subscription URL, message ID, and error data, and also creates a human-readable Markdown summary. Even if some secrets are omitted, these fields are still sensitive operational and personal data; storing them in plaintext logs increases exposure through local compromise, backups, support access, or accidental sharing. In this context, the script is explicitly for account provisioning and audit, which makes the logging behavior more dangerous because it centralizes user identifiers and access-related metadata in a predictable directory.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script prints highly sensitive account data including email addresses and subscription URLs directly to stdout. Subscription URLs often function as bearer-style access links, so exposing them in terminal history, logs, screen shares, or CI output can leak account access or facilitate unauthorized use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script loads a bearer token from a local config file and immediately uses it to make authenticated API requests without any access control, consent prompt, or audit guardrails. In a skill/agent context, this is dangerous because it enables silent use of privileged credentials to query backend data, increasing the risk of unauthorized API access and data exposure if the script is invoked unexpectedly or by an untrusted operator.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This code enumerates users and prints sensitive account information including usernames, emails, UUIDs, status, group membership, traffic limits, expiration dates, and subscription URLs. That creates a clear privacy and security risk because subscription URLs and account metadata can be used for targeting, account takeover workflows, or broader reconnaissance, especially when bulk enumeration is performed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script retrieves the full user list in bulk and then prints identifying account data including username, UUID, email, squad membership, status, quota, and dates for every matching account. In an agent-skill context, that creates unnecessary exposure of sensitive account information to logs or operators, especially because there is no access-control check, minimization, masking, or user-consent flow in the script itself.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This script bulk-enumerates user accounts and prints usernames and email addresses for all matches, which exposes personally identifiable information to anyone with access to run or view the script output. In agent/skill contexts, this is risky because it normalizes broad directory scraping rather than least-privilege lookup, increasing the chance of unauthorized data disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal