中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 10/100
Last scan:23 hr ago Rescan
10 /100
dex-quant-skill
Cryptocurrency quantitative trading AI Skill for strategy generation, backtesting, optimization, and monitoring
Legitimate cryptocurrency quantitative trading skill with well-documented functionality, secure credential handling via secure links, and only declared external API communications with major exchanges.
Skill Namedex-quant-skill
Duration39.1s
Enginepi
Safe to install
Skill appears safe for use. Monitor vault system behavior when users configure wallet keys.

Findings 1 items

Severity Finding Location
Low
Wallet private key handling Credential Theft
Skill includes vault system for Hyperliquid wallet private keys. However, this is well-designed - SKILL.md explicitly prohibits receiving keys via chat and mandates secure link submission via vault_setup_link().
vault_setup_link() generates one-time secure URL for browser submission
→ Current design is secure. Continue enforcing the no-chat-key policy.
 scripts/api_client.py
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned SKILL.md: Write tool declared; scripts save strategies to {baseDir}/strategies/
Network READ READ ✓ Aligned API calls to Binance, CoinGecko, DeFi Llama, and own server - all documented
Shell WRITE WRITE ✓ Aligned subprocess used for pip install, font installation - declared in preamble
Environment NONE READ ✓ Aligned data_client.py reads PROXY_URL env var - documented purpose
Skill Invoke NONE NONE
Clipboard NONE NONE
Browser NONE NONE
Database NONE NONE
7 findings
🔗
Medium External URL 外部 URL
http://json-schema.org/draft-07/schema#
schemas/signal_format.json:2
🔗
Medium External URL 外部 URL
http://your-server:8000
scripts/api_client.py:17
🔗
Medium External URL 外部 URL
https://dex-quant-app-production.up.railway.app
scripts/api_client.py:41
🔗
Medium External URL 外部 URL
https://fapi.binance.com
scripts/data_client.py:23
🔗
Medium External URL 外部 URL
https://api.binance.com
scripts/data_client.py:24
🔗
Medium External URL 外部 URL
https://api.coingecko.com/api/v3
scripts/data_client.py:25
🔗
Medium External URL 外部 URL
https://api.llama.fi
scripts/data_client.py:26

File Tree

17 files · 198.3 KB · 5353 lines
Python 12f · 4174L Markdown 2f · 1054L JSON 3f · 125L
├─ 📁 docs
│ └─ 📝 DEX Quant产品文档.md Markdown 288L · 9.5 KB
├─ 📁 schemas
│ └─ 📋 signal_format.json JSON 92L · 2.9 KB
├─ 📁 scripts
│ ├─ 🐍 api_client.py Python 1516L · 59.8 KB
│ ├─ 🐍 data_client.py Python 685L · 23.9 KB
│ ├─ 🐍 indicators.py Python 364L · 11.7 KB
│ ├─ 🐍 machine_auth.py Python 141L · 4.2 KB
│ ├─ 🐍 risk_checker.py Python 120L · 4.1 KB
│ └─ 🐍 strategy_runner.py Python 455L · 16.4 KB
├─ 📁 strategies
│ ├─ 🐍 btc_aggressive_momentum.py Python 148L · 5.1 KB
│ ├─ 🐍 btc_macd_trend.py Python 161L · 5.8 KB
│ ├─ 🐍 btc_rsi_momentum.py Python 137L · 4.5 KB
│ ├─ 🐍 btc_trend_pullback.py Python 160L · 5.8 KB
│ ├─ 🐍 sol_kdj_swing.py Python 153L · 5.4 KB
│ └─ 🐍 sol_rsi_momentum.py Python 134L · 4.3 KB
├─ 📋 clawhub.json JSON 28L · 907 B
├─ 📋 conductor.json JSON 5L · 48 B
└─ 📝 SKILL.md Markdown 766L · 33.9 KB

Dependencies 3 items

PackageVersionSourceKnown VulnsNotes
httpx not pinned pip install No Used for API calls - standard HTTP client
loguru not pinned pip install No Logging library - standard
matplotlib not pinned pip install No Charting library - standard

Security Positives

✓ Comprehensive documentation in SKILL.md with explicit security rules
✓ Secure vault system for private keys using browser-based secure link submission
✓ All network communications are with legitimate financial APIs (Binance, CoinGecko, DeFi Llama)
✓ Strategy scripts execute in a sandboxed server environment, blocking os/subprocess/socket imports
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No base64-encoded execution or obfuscation detected
✓ No reverse shell, C2, or data theft patterns
✓ Clean codebase with no typosquatting or malicious dependencies