Armory
Connect Battle.net and show off your World of Warcraft characters — class-colored character cards on member profiles, a main-character badge by your posts, and Battle.net sign-in....
Connect Battle.net and show off your World of Warcraft characters — class-colored character cards on member profiles, a main-character badge by your posts, and Battle.net sign-in. Dependency-free OAuth2 + the official Blizzard WoW API. Add your Blizzard API client id/secret in admin and pick a region.
AI security review
✓
Reviewed safe · 92/100
A legitimate Battle.net OAuth + Blizzard WoW API extension. All outbound calls go to official Blizzard/Battle.net hosts, tokens are stored encrypted, OAuth uses CSRF state validation, and admin routes are gated by auth/admin middleware. No RCE, eval, shell, SSRF, or data exfiltration found.
- low · Public character endpoints expose data by raw ID — Routes /api/ext/armory/user/{id}, /full/{id}, /extra/{id}/{kind} are 'web' only and return character data filtered by is_visible; this is intended public profile data but allows enumeration of any user's visible characters by ID. Low risk, no sensitive data leaked.
- low · Auto-account-creation and login on Battle.net callback — In Extension::callback, a non-link sign-in creates/logs in a User keyed on bnet_id. State is validated with hash_equals so CSRF is mitigated, but trust depends entirely on Blizzard's id; acceptable for an OAuth sign-in flow.
- low · Remote image/icon URLs rendered directly — avatar_url/icon values from the Blizzard API are inserted into img src in forum.js and armory page JS (escaped). Values originate from Blizzard's trusted API, so low risk.
Automated review of v0.1.0 by claude-opus-4-8 1 day ago. This is an automated signal to aid your judgment — not a guarantee.