inflynce-create-campaign Security Report — Low Risk | ClawSafe

15 /100

inflynce-create-campaign

Create and launch Inflynce Boost campaigns to promote any https:// link by paying USDC rewards to real users on Base

This is a legitimate Inflynce marketing campaign creation tool with well-documented functionality, proper GraphQL URL validation, HTTPS enforcement, and clear marking of agent-created campaigns. The only notable risk is private key handling for blockchain transactions, which is explicitly documented and marked as highly sensitive.

Skill Nameinflynce-create-campaign

Duration43.8s

Enginepi

✓

Safe to install

Approve for use. If possible, use the web interface at boost.inflynce.com for the 0.25 USDC fee payment to avoid storing a private key in the agent environment. Ensure PRIVATE_KEY is not logged or exposed in error messages.

Findings 2 items

Severity	Finding	Location
Low	PRIVATE_KEY required for blockchain transactions Credential Theft pay_fee.js and top_up.js require a wallet private key to sign real USDC transfers on Base. This is a legitimate requirement for the tool's functionality but introduces risk if the key is mishandled. `PRIVATE_KEY=0x... node scripts/pay_fee.js` → Prefer manual payment via web UI to avoid storing private key in agent. If required, ensure the environment is secure and key is not logged.	`SKILL.md:55`
Low	Dependencies use caret versioning Supply Chain package.json uses ^2.0.0 versioning for viem and ethereum-cryptography, allowing minor/patch updates. `"viem": "^2.0.0"` → Consider pinning exact versions for production environments to prevent unexpected updates.	`package.json:10`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	GraphQL POST to boost.inflynce.com, validated to exact host
Environment	`READ`	`READ`	✓ Aligned	Reads GRAPHQL_URL, PRIVATE_KEY, RPC_URL from process.env
Shell	`NONE`	`WRITE`	✓ Aligned	Test file uses spawnSync to run node scripts (acceptable test practice)
Database	`NONE`	`WRITE`	✓ Aligned	Blockchain write operations via viem for USDC transfers - documented in SKILL.md
Filesystem	`NONE`	`NONE`	—	No direct filesystem access in scripts

17 findings

🔗

Medium External URL 外部 URL

https://boost.inflynce.com/api/graphql

SKILL.md:6

🔗

Medium External URL 外部 URL

https://boost.inflynce.com

SKILL.md:8

🔗

Medium External URL 外部 URL

https://mainnet.base.org

SKILL.md:48

💰

Medium Wallet Address 加密货币钱包地址

0xA61529732F4E71ef1586252dDC97202Ce198A38A

SKILL.md:63

💰

Medium Wallet Address 加密货币钱包地址

0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913

SKILL.md:64

💰

Medium Wallet Address 加密货币钱包地址

0x6e6A6128bB0c175989066eb0e2bf54F06688207b

SKILL.md:65

🔗

Medium External URL 外部 URL

https://x.com/user/status/123

SKILL.md:88

🔗

Medium External URL 外部 URL

https://x.com/...

SKILL.md:123

🔗

Medium External URL 外部 URL

https://twitter.com/...

SKILL.md:123

🔗

Medium External URL 外部 URL

https://warpcast.com/~/casts/0x...

SKILL.md:125

🔗

Medium External URL 外部 URL

https://paulmillr.com/funding/

package-lock.json:30

💰

Medium Wallet Address 加密货币钱包地址

0x0000000000000000000000000000000000000001

test/create_campaign.test.js:42

🔗

Medium External URL 外部 URL

https://warpcast.com/~/casts/$

test/create_campaign.test.js:69

🔗

Medium External URL 外部 URL

https://x.com/user/1

test/create_campaign.test.js:88

🔗

Medium External URL 外部 URL

https://evil.com/graphql

test/create_campaign.test.js:120

🔗

Medium External URL 外部 URL

http://boost.inflynce.com/api/graphql

test/create_campaign.test.js:132

🔗

Medium External URL 外部 URL

https://evil.boost.inflynce.com/api/graphql

test/create_campaign.test.js:156

File Tree

8 files · 39.8 KB · 1100 lines

JavaScript 4f · 469L JSON 3f · 382L Markdown 1f · 249L

├─ ▾ 📁 scripts

│ ├─ 📜 create_campaign.js JavaScript 152L · 4.5 KB

│ ├─ 📜 pay_fee.js JavaScript 63L · 1.9 KB

│ └─ 📜 top_up.js JavaScript 68L · 2.0 KB

├─ ▾ 📁 test

│ └─ 📜 create_campaign.test.js JavaScript 186L · 6.3 KB

├─ 📋 clawhub.json JSON 13L · 681 B

├─ 📋 package-lock.json JSON 355L · 11.8 KB

├─ 📋 package.json JSON 14L · 544 B

└─ 📝 SKILL.md Markdown 249L · 12.1 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`viem`	`^2.0.0 (installed: 2.47.0)`	npm	No	Well-audited Ethereum library by wevm team
`ethereum-cryptography`	`^2.0.0 (installed: 2.2.1)`	npm	No	Standard cryptography library for keccak256 hashing

Security Positives

✓ GraphQL URL is validated at runtime to exact hostname 'boost.inflynce.com'

✓ HTTPS protocol is enforced for all network requests

✓ Subdomain attacks are explicitly blocked (evil.boost.inflynce.com rejected)

✓ Payment hash format validation (0x + 64 hex chars)

✓ Budget minimum enforcement (5 USDC)

✓ Agent-created campaigns clearly marked with appType: 2

✓ Comprehensive security-focused test coverage for URL validation

✓ Uses reputable, well-audited libraries (viem, ethereum-cryptography)

✓ No sensitive file access (~/.ssh, ~/.aws, .env files not accessed)

✓ No obfuscation or encoded execution patterns detected

✓ No data exfiltration or C2 communication

✓ No credential harvesting beyond what's necessary

✓ No curl|bash remote execution patterns

✓ Documentation accurately describes all functionality

Scan Report

Findings 2 items

File Tree

Dependencies 2 items

Security Positives