binance-event-contract-data-fetcher 安全扫描报告 — 低风险 | ClawSafe

15 /100

binance-event-contract-data-fetcher

Binance Event Contract Full Data Fetcher - fetches K-line, liquidity, market, and contract rule data for BTC/ETH trading pairs

Documentation-only skill describing Binance data fetching; no implementation code present to execute malicious behavior, though documentation lacks declared allowed tools.

技能名称binance-event-contract-data-fetcher

分析耗时31.3s

引擎pi

✓

可以安装

This skill contains only a SKILL.md specification without any executable code. If implementation is added later, ensure all network/filesystem/shell operations are explicitly declared in allowed-tools.

安全发现 1 项

严重性	安全发现	位置
低危	Missing allowed-tools declaration 文档欺骗 The SKILL.md does not declare required permissions. A data fetcher that mentions cache and API calls should explicitly list filesystem:READ and network:READ as allowed tools. `No allowed-tools section present in document` → Add an allowed-tools declaration section listing: network:READ (for Binance API), filesystem:READ (for cache access), and if cron is implemented: shell:WRITE	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	SKILL.md mentions 'cache' functionality implying file read/write
网络访问	`NONE`	`READ`	✓ 一致	SKILL.md describes fetching from api.binance.com but does not declare network:RE…
命令执行	`NONE`	`NONE`	—	Mentions cron auto-run but no explicit shell execution declared

1 项发现

🔗

中危外部 URL 外部 URL

https://api.binance.com

SKILL.md:15

目录结构

1 文件 · 4.1 KB · 100 行

Markdown 1f · 100L

└─ 📝 SKILL.md Markdown 100L · 4.1 KB

安全亮点

✓ No executable code present - cannot perform malicious actions

✓ Declares clear data-source restrictions (Binance only)

✓ Explicitly forbids trading API calls and third-party exchanges

✓ No credential harvesting mentioned

✓ No obfuscation or base64-encoded content observed

✓ No sensitive path access (.ssh, .aws, .env) declared