tempo-stable-uniswap-swaps 安全扫描报告 — 低风险 | ClawSafe

15 /100

tempo-stable-uniswap-swaps

Tempo stablecoin and token swap operations for agents using Foundry (cast) and Uniswap Trade API

Legitimate Tempo stablecoin/DeFi swap skill using Foundry and Uniswap API with properly documented functionality; the curl|bash pattern for Foundry installation is a standard, documented approach from Paradigm.

技能名称tempo-stable-uniswap-swaps

分析耗时33.7s

引擎pi

✓

可以安装

No action required. Consider pinning Foundry version in production deployments.

安全发现 1 项

严重性	安全发现	位置
低危	curl\|bash installation pattern detected 文档欺骗 Line 36 uses 'curl -L https://foundry.paradigm.xyz \| bash' for Foundry installation. While this pattern is often associated with supply chain risks, in this case it is the official, documented installation method for Foundry (a well-known Ethereum development framework by Paradigm). The risk is mitigated by the source being a trusted, established project. `curl -L https://foundry.paradigm.xyz \| bash` → Consider documenting this as intentional Foundry installation. For production use, consider pinning Foundry version or using package manager installation.	`SKILL.md:36`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file operations in code
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:56-66 - curl to Uniswap API, SKILL.md:88 - eth_call to RPC
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md:36 - foundryup, SKILL.md:50 - cast send for transfers
环境变量	`READ`	`READ`	✓ 一致	SKILL.md:46 - PRIVATE_KEY, UNISWAP_API_KEY
技能调用	`NONE`	`NONE`	—	No skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser access
数据库	`NONE`	`NONE`	—	No database access

1 严重 8 项发现

💀

严重危险命令危险 Shell 命令

curl -L https://foundry.paradigm.xyz | bash

SKILL.md:36

🔗

中危外部 URL 外部 URL

https://rpc.presto.tempo.xyz

SKILL.md:19

💰

中危钱包地址加密货币钱包地址

0x20C0000000000000000000000000000000000000

SKILL.md:20

💰

中危钱包地址加密货币钱包地址

0x20c000000000000000000000b9537d11c60e8b50

SKILL.md:21

💰

中危钱包地址加密货币钱包地址

0x20C000000000000000000000d5d5815Ae71124d1

SKILL.md:22

💰

中危钱包地址加密货币钱包地址

0x000000000022D473030F116dDEE9F6B43aC78BA3

SKILL.md:23

🔗

中危外部 URL 外部 URL

https://foundry.paradigm.xyz

SKILL.md:36

🔗

中危外部 URL 外部 URL

https://trade-api.gateway.uniswap.org/v1/quote

SKILL.md:77

目录结构

1 文件 · 4.2 KB · 141 行

Markdown 1f · 141L

└─ 📝 SKILL.md Markdown 141L · 4.2 KB

安全亮点

✓ All functionality declared in SKILL.md - no hidden behavior

✓ No credential exfiltration - PRIVATE_KEY used only for local blockchain operations

✓ No obfuscation or base64-encoded payloads

✓ Standard Uniswap/DeFi patterns used correctly

✓ Permit2 approval patterns are standard and documented

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)

✓ Network calls limited to legitimate endpoints (Uniswap API, Tempo RPC)

✓ No reverse shell, C2, or data theft behavior

✓ Foundry/cast is a widely-used legitimate blockchain development tool