ClawAudit verdict
messenger_node
ranchimall-messenger
The skill provides a messenger node for interacting with the FLO blockchain and decentralized FLO messenger.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Findings (8)
vm.runInThisContext — Node sandbox escape vector
btc_node.js · prose · downgraded · vm.runInThisContext(
<script> tag in markdown — potential code injection
send_node.js · prose · downgraded · <script>
Base64 decode (atob) — may hide malicious payloads
scripts/floCloudAPI.js · prose · downgraded · atob(
Popular HTTP library — network access
btc_node.js · prose · downgraded · node-fetch
Opens WebSocket connection
dapp_node.js · prose · downgraded · WebSocket
Accesses sensitive environment variables
node_shared.js · prose · downgraded · process.env.FLO_PRIVATE_KEY
Base64 encode (btoa) — may obfuscate data exfiltration
scripts/floCloudAPI.js · prose · downgraded · btoa(
String.fromCharCode — can build strings to evade detection
scripts/floCrypto.js · prose · downgraded · String.fromCharCode
Permissions & capabilities
No declared permissions — minimal attack surface.
data_encoding Is this flag fair?
Thanks — recorded.