arbitrum_bridge_helper 安全扫描报告 — 可信 | ClawSafe

5 /100

arbitrum_bridge_helper

Execute official Arbitrum bridge tasks with a wallet found on disk: deposits, withdrawals, claims, status checks, and stuck-bridge diagnosis across Ethereum, Arbitrum One, Arbitrum Nova, and testnets.

This is a pure documentation/guide skill (Markdown only) for Arbitrum bridge operations. No executable code, scripts, or implementation files exist. Wallet discovery on disk is explicitly declared behavior with appropriate security constraints.

技能名称arbitrum_bridge_helper

分析耗时45.7s

引擎pi

✓

可以安装

No action needed. This skill is safe to use as documented.

安全发现 1 项

严重性	安全发现	位置
低危	Vague wallet search path description Step 2 mentions searching 'common agent-accessible directories' without specifying exact paths. However, explicit constraints prevent exposing secrets. `Existing wallet config files in the workspace or common agent-accessible directories` → Consider specifying exact expected directories (e.g., './wallet-config.json', './.env') for clarity, though current constraints adequately prevent misuse.	`SKILL.md:62`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No executable code exists - only Markdown documentation
网络访问	`NONE`	`NONE`	—	No network calls described in documentation
命令执行	`NONE`	`NONE`	—	No shell commands or subprocess calls in documentation
环境变量	`NONE`	`NONE`	—	Mentions .env files for wallet discovery but no env iteration described
技能调用	`NONE`	`NONE`	—	No cross-skill invocations described
剪贴板	`NONE`	`NONE`	—	No clipboard access mentioned
浏览器	`NONE`	`NONE`	—	No browser automation described
数据库	`NONE`	`NONE`	—	No database access mentioned

目录结构

4 文件 · 18.4 KB · 481 行

Markdown 4f · 481L

├─ ▾ 📁 references

│ ├─ 📝 routes.md Markdown 69L · 2.3 KB

│ ├─ 📝 triggers.md Markdown 65L · 1.6 KB

│ └─ 📝 troubleshooting.md Markdown 101L · 5.2 KB

└─ 📝 SKILL.md Markdown 246L · 9.4 KB

安全亮点

✓ No executable code - purely instructional Markdown documentation

✓ Explicit 'never reveal private keys' constraint in multiple places

✓ Requires explicit user confirmation before signing/broadcasting any transaction

✓ Does not describe credential exfiltration or external data transmission

✓ No base64, eval, or shell command patterns present

✓ No sensitive system paths (~/.ssh, ~/.aws) mentioned for wallet search

✓ Clear constraints against exposing keystore JSON, mnemonics, or full env file contents

✓ Skill does not promise instant finality or suggest cancelable withdrawals

✓ Proper distinction between USDC and USDC.e demonstrates careful design