中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
dao-governance
Web3 DAO governance research skill using Degov Agent API with x402 payments
Legitimate DAO governance research skill with proper wallet management and x402 payment integration. No malicious behavior detected.
Skill Namedao-governance
Duration35.4s
Enginepi
Safe to install
No action needed. The skill is safe to use for its documented purpose.

Findings 2 items

Severity Finding Location
Info
Pre-scan base64 flags are false positives
The pre-scan flagged Buffer.from(...'base64') as CRITICAL 'code obfuscation', but these are standard cryptographic encoding operations for AES-256-GCM encryption parameters (salt, iv, authTag, ciphertext). This is legitimate crypto implementation, not obfuscation.
Buffer.from(cryptoPayload.salt, 'base64')
→ No action needed - this is expected cryptographic practice
 scripts/wallet-store.ts:208
Low
Internal passphrase stored in filesystem
The skill stores an internally-generated passphrase at ~/.agents/state/dao-governance/wallet-passphrase. While this is necessary for wallet functionality and uses proper file permissions (0o600), any compromise of the passphrase file could expose the wallet private key.
export const DEFAULT_PASSPHRASE_PATH = path.join(DEFAULT_STATE_DIR, 'wallet-passphrase')
→ Consider using a system keyring (e.g., keychain, kwallet) for passphrase storage in production environments
 scripts/wallet-store.ts:11
ResourceDeclaredInferredStatusEvidence
Filesystem READ WRITE ✓ Aligned SKILL.md declares wallet storage in ~/.agents/state/dao-governance/
Network READ READ ✓ Aligned SKILL.md declares API calls to degov-agent-api
Shell WRITE WRITE ✓ Aligned SKILL.md documents pnpm exec tsx commands
Environment READ READ ✓ Aligned Uses env vars like DEGOV_AGENT_WALLET_PASSPHRASE, DEGOV_AGENT_API_BASE_URL
4 Critical 8 findings
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(cryptoPayload.salt, 'base64'
scripts/wallet-store.ts:208
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(cryptoPayload.iv, 'base64'
scripts/wallet-store.ts:212
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(cryptoPayload.authTag, 'base64'
scripts/wallet-store.ts:214
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(cryptoPayload.ciphertext, 'base64'
scripts/wallet-store.ts:216
🔗
Medium External URL 外部 URL
https://agent-api.degov.ai
scripts/README.md:32
🔗
Medium External URL 外部 URL
https://mainnet.base.org
scripts/degov-client.ts:87
🔗
Medium External URL 外部 URL
https://basescan.org/tx/$
scripts/degov-client.ts:160
💰
Medium Wallet Address 加密货币钱包地址
0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913
scripts/wallet-store.ts:18

File Tree

7 files · 63.4 KB · 2005 lines
TypeScript 2f · 883L YAML 1f · 737L Markdown 2f · 344L JSON 2f · 41L
├─ 📁 scripts
│ ├─ 📜 degov-client.ts TypeScript 499L · 14.8 KB
│ ├─ 📋 package.json JSON 27L · 1.1 KB
│ ├─ 📋 pnpm-lock.yaml YAML 737L · 22.0 KB
│ ├─ 📝 README.md Markdown 87L · 2.7 KB
│ ├─ 📋 tsconfig.json JSON 14L · 290 B
│ └─ 📜 wallet-store.ts TypeScript 384L · 10.4 KB
└─ 📝 SKILL.md Markdown 257L · 12.1 KB

Dependencies 3 items

PackageVersionSourceKnown VulnsNotes
viem ^2.37.5 npm No Standard Ethereum library, widely used
@x402/evm ^2.6.0 npm No Official x402 payment library for EVM chains
@x402/fetch ^2.6.0 npm No Official x402 payment library for HTTP requests

Security Positives

✓ Uses standard AES-256-GCM encryption for wallet private keys
✓ Sets restrictive 0o600 file permissions on wallet and passphrase files
✓ All network calls are to the declared API endpoint only
✓ No credential exfiltration - credentials stay local
✓ Uses legitimate x402 payment protocol (@x402/evm, @x402/fetch)
✓ Clear user consent flow for paid API calls
✓ Guardrails in SKILL.md explicitly prohibit asking for private keys
✓ Wallet migration removes old wallet files after transfer
✓ No base64 piping to shell or eval() usage
✓ Proper error handling throughout cryptographic operations