中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
storyclaw-alpaca-trading
US stock and crypto trading via Alpaca API with paper trading and real trading support
Legitimate trading skill with minor documentation gaps and inconsistent credential handling patterns that don't constitute malicious behavior.
技能名称storyclaw-alpaca-trading
分析耗时49.5s
引擎pi
可以安装
Document all scripts in SKILL.md, prefer environment variable usage over JSON file storage for credentials, and add explicit permission declarations for shell execution.

安全发现 3 项

严重性 安全发现 位置
低危
Undocumented strategy scripts 文档欺骗
aggressive-strategy.js and momentum-strategy.js exist but are not mentioned in SKILL.md. Users cannot audit their behavior from documentation.
#!/usr/bin/env node /\**\n * Aggressive Trading Strategy
→ Document all available scripts in SKILL.md or remove undocumented scripts.
 scripts/aggressive-strategy.js:1
低危
Inconsistent credential handling 敏感访问
momentum-strategy.js hardcodes config.json path and ignores environment variables, while main trading.js supports both. This creates user confusion and potential credential mishandling.
const CONFIG_PATH = path.join(__dirname, '..', 'config.json');
→ Use the same config-loader.js as trading.js for consistent credential handling.
 scripts/momentum-strategy.js:19
提示
Plaintext credential storage 敏感访问
API keys stored in credentials/{USER_ID}.json files. While not unusual, environment variables are generally preferred for sensitive credentials.
{"apiKey": "", "apiSecret": ""}
→ Consider emphasizing environment variable usage (ALPACA_API_KEY, ALPACA_API_SECRET) in documentation.
 credentials/example.json:1
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 config-loader.js:32 - reads credentials/{USER_ID}.json
网络访问 READ READ ✓ 一致 trading.js:60-95 - HTTPS requests to Alpaca API
命令执行 NONE WRITE ✗ 越权 aggressive-strategy.js:13 - execSync('node trading.js ...')
环境变量 READ READ ✓ 一致 config-loader.js:18 - reads USER_ID/TELEGRAM_USER_ID
4 项发现
🔗
中危 外部 URL 外部 URL
https://paper-api.alpaca.markets
SKILL.md:35
🔗
中危 外部 URL 外部 URL
https://data.alpaca.markets
SKILL.md:36
🔗
中危 外部 URL 外部 URL
https://api.alpaca.markets
SKILL.md:40
🔗
中危 外部 URL 外部 URL
https://app.alpaca.markets/brokerage/new-account
SKILL.md:96

目录结构

7 文件 · 34.8 KB · 1154 行
JavaScript 4f · 1037L Markdown 1f · 105L JSON 2f · 12L
├─ 📁 credentials
│ └─ 📋 example.json JSON 6L · 131 B
├─ 📁 scripts
│ ├─ 📜 aggressive-strategy.js JavaScript 110L · 3.2 KB
│ ├─ 📜 config-loader.js JavaScript 59L · 1.9 KB
│ ├─ 📜 momentum-strategy.js JavaScript 395L · 11.2 KB
│ └─ 📜 trading.js JavaScript 473L · 15.1 KB
├─ 📋 config.example.json JSON 6L · 172 B
└─ 📝 SKILL.md Markdown 105L · 3.1 KB

安全亮点

✓ All network requests go to legitimate Alpaca API endpoints (paper-api.alpaca.markets, data.alpaca.markets)
✓ No base64 encoding, obfuscation, or anti-analysis techniques detected
✓ No credential exfiltration or external data transfer observed
✓ No sensitive paths (~/.ssh, ~/.aws, .env) accessed
✓ No reverse shell, C2, or reverse engineering indicators
✓ Clean codebase with no suspicious patterns