Remnawave Robot

This package appears to implement the described Remnawave account-management functions, but it has practical and security issues you should address before installing or running it: - Expect to provide two sensitive credentials: a Remnawave API token and SMTP credentials (username/password). The skill metadata did NOT list these — treat that as a red flag and verify externally before trusting the package. - The scripts read/write ../../.env (workspace-level .env). That file may be shared by other tools; don't point this skill at a .env that contains unrelated secrets. Prefer a dedicated credentials file or isolated test workspace. - SMTP credentials are kept in config/smtp.json in plaintext (though files are chmod 600). Consider using a dedicated mailbox with minimal privileges or an app-specific credential rather than a primary admin mailbox. - Default/config examples suggest disabling SSL verification and an API base using a raw IP address; avoid setting sslRejectUnauthorized=true in production and confirm the API endpoint is legitimate. - Several templates and docs reference external domains (datat.cc, third-party download URLs). Validate those URLs independently — they may host subscription links or third-party binaries. - Run the code first in an isolated test environment (non-production account, isolated workspace) and audit the files it writes (../../.env and logs) before using on real production secrets. - If you proceed, consider editing setup.js to change the .env path to a skill-local secure store, or store the REMNAWAVE_API_TOKEN in a dedicated credential manager rather than workspace .env. If you want, I can produce a short checklist and safe setup steps (how to run in an isolated folder, how to create and use a throwaway SMTP account, or a suggested patch to avoid writing to ../../.env).