扫描报告
15 /100
inflynce-create-campaign
Create and launch Inflynce Boost campaigns to promote any https:// link by paying USDC rewards to real users on Base
This is a legitimate Inflynce marketing campaign creation tool with well-documented functionality, proper GraphQL URL validation, HTTPS enforcement, and clear marking of agent-created campaigns. The only notable risk is private key handling for blockchain transactions, which is explicitly documented and marked as highly sensitive.
可以安装
Approve for use. If possible, use the web interface at boost.inflynce.com for the 0.25 USDC fee payment to avoid storing a private key in the agent environment. Ensure PRIVATE_KEY is not logged or exposed in error messages.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | PRIVATE_KEY required for blockchain transactions 凭证窃取 | SKILL.md:55 |
| 低危 | Dependencies use caret versioning 供应链 | package.json:10 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | GraphQL POST to boost.inflynce.com, validated to exact host |
| 环境变量 | READ | READ | ✓ 一致 | Reads GRAPHQL_URL, PRIVATE_KEY, RPC_URL from process.env |
| 命令执行 | NONE | WRITE | ✓ 一致 | Test file uses spawnSync to run node scripts (acceptable test practice) |
| 数据库 | NONE | WRITE | ✓ 一致 | Blockchain write operations via viem for USDC transfers - documented in SKILL.md |
| 文件系统 | NONE | NONE | — | No direct filesystem access in scripts |
17 项发现
中危 外部 URL 外部 URL
https://boost.inflynce.com/api/graphql SKILL.md:6 中危 外部 URL 外部 URL
https://boost.inflynce.com SKILL.md:8 中危 外部 URL 外部 URL
https://mainnet.base.org SKILL.md:48 中危 钱包地址 加密货币钱包地址
0xA61529732F4E71ef1586252dDC97202Ce198A38A SKILL.md:63 中危 钱包地址 加密货币钱包地址
0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 SKILL.md:64 中危 钱包地址 加密货币钱包地址
0x6e6A6128bB0c175989066eb0e2bf54F06688207b SKILL.md:65 中危 外部 URL 外部 URL
https://x.com/user/status/123 SKILL.md:88 中危 外部 URL 外部 URL
https://x.com/... SKILL.md:123 中危 外部 URL 外部 URL
https://twitter.com/... SKILL.md:123 中危 外部 URL 外部 URL
https://warpcast.com/~/casts/0x... SKILL.md:125 中危 外部 URL 外部 URL
https://paulmillr.com/funding/ package-lock.json:30 中危 钱包地址 加密货币钱包地址
0x0000000000000000000000000000000000000001 test/create_campaign.test.js:42 中危 外部 URL 外部 URL
https://warpcast.com/~/casts/$ test/create_campaign.test.js:69 中危 外部 URL 外部 URL
https://x.com/user/1 test/create_campaign.test.js:88 中危 外部 URL 外部 URL
https://evil.com/graphql test/create_campaign.test.js:120 中危 外部 URL 外部 URL
http://boost.inflynce.com/api/graphql test/create_campaign.test.js:132 中危 外部 URL 外部 URL
https://evil.boost.inflynce.com/api/graphql test/create_campaign.test.js:156 目录结构
8 文件 · 39.8 KB · 1100 行 JavaScript 4f · 469L
JSON 3f · 382L
Markdown 1f · 249L
├─
▾
scripts
│ ├─
create_campaign.js
JavaScript
│ ├─
pay_fee.js
JavaScript
│ └─
top_up.js
JavaScript
├─
▾
test
│ └─
create_campaign.test.js
JavaScript
├─
clawhub.json
JSON
├─
package-lock.json
JSON
├─
package.json
JSON
└─
SKILL.md
Markdown
依赖分析 2 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
viem | ^2.0.0 (installed: 2.47.0) | npm | 否 | Well-audited Ethereum library by wevm team |
ethereum-cryptography | ^2.0.0 (installed: 2.2.1) | npm | 否 | Standard cryptography library for keccak256 hashing |
安全亮点
✓ GraphQL URL is validated at runtime to exact hostname 'boost.inflynce.com'
✓ HTTPS protocol is enforced for all network requests
✓ Subdomain attacks are explicitly blocked (evil.boost.inflynce.com rejected)
✓ Payment hash format validation (0x + 64 hex chars)
✓ Budget minimum enforcement (5 USDC)
✓ Agent-created campaigns clearly marked with appType: 2
✓ Comprehensive security-focused test coverage for URL validation
✓ Uses reputable, well-audited libraries (viem, ethereum-cryptography)
✓ No sensitive file access (~/.ssh, ~/.aws, .env files not accessed)
✓ No obfuscation or encoded execution patterns detected
✓ No data exfiltration or C2 communication
✓ No credential harvesting beyond what's necessary
✓ No curl|bash remote execution patterns
✓ Documentation accurately describes all functionality