dex-quant-skill 安全扫描报告 — 低风险 | ClawSafe

10 /100

dex-quant-skill

Cryptocurrency quantitative trading AI Skill for strategy generation, backtesting, optimization, and monitoring

Legitimate cryptocurrency quantitative trading skill with well-documented functionality, secure credential handling via secure links, and only declared external API communications with major exchanges.

技能名称dex-quant-skill

分析耗时39.1s

引擎pi

✓

可以安装

Skill appears safe for use. Monitor vault system behavior when users configure wallet keys.

安全发现 1 项

严重性	安全发现	位置
低危	Wallet private key handling 凭证窃取 Skill includes vault system for Hyperliquid wallet private keys. However, this is well-designed - SKILL.md explicitly prohibits receiving keys via chat and mandates secure link submission via vault_setup_link(). `vault_setup_link() generates one-time secure URL for browser submission` → Current design is secure. Continue enforcing the no-chat-key policy.	`scripts/api_client.py`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md: Write tool declared; scripts save strategies to {baseDir}/strategies/
网络访问	`READ`	`READ`	✓ 一致	API calls to Binance, CoinGecko, DeFi Llama, and own server - all documented
命令执行	`WRITE`	`WRITE`	✓ 一致	subprocess used for pip install, font installation - declared in preamble
环境变量	`NONE`	`READ`	✓ 一致	data_client.py reads PROXY_URL env var - documented purpose
技能调用	`NONE`	`NONE`	—
剪贴板	`NONE`	`NONE`	—
浏览器	`NONE`	`NONE`	—
数据库	`NONE`	`NONE`	—

7 项发现

🔗

中危外部 URL 外部 URL

http://json-schema.org/draft-07/schema#

schemas/signal_format.json:2

🔗

中危外部 URL 外部 URL

http://your-server:8000

scripts/api_client.py:17

🔗

中危外部 URL 外部 URL

https://dex-quant-app-production.up.railway.app

scripts/api_client.py:41

🔗

中危外部 URL 外部 URL

https://fapi.binance.com

scripts/data_client.py:23

🔗

中危外部 URL 外部 URL

https://api.binance.com

scripts/data_client.py:24

🔗

中危外部 URL 外部 URL

https://api.coingecko.com/api/v3

scripts/data_client.py:25

🔗

中危外部 URL 外部 URL

https://api.llama.fi

scripts/data_client.py:26

目录结构

17 文件 · 198.3 KB · 5353 行

Python 12f · 4174L Markdown 2f · 1054L JSON 3f · 125L

├─ ▾ 📁 docs

│ └─ 📝 DEX Quant产品文档.md Markdown 288L · 9.5 KB

├─ ▾ 📁 schemas

│ └─ 📋 signal_format.json JSON 92L · 2.9 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 api_client.py Python 1516L · 59.8 KB

│ ├─ 🐍 data_client.py Python 685L · 23.9 KB

│ ├─ 🐍 indicators.py Python 364L · 11.7 KB

│ ├─ 🐍 machine_auth.py Python 141L · 4.2 KB

│ ├─ 🐍 risk_checker.py Python 120L · 4.1 KB

│ └─ 🐍 strategy_runner.py Python 455L · 16.4 KB

├─ ▾ 📁 strategies

│ ├─ 🐍 btc_aggressive_momentum.py Python 148L · 5.1 KB

│ ├─ 🐍 btc_macd_trend.py Python 161L · 5.8 KB

│ ├─ 🐍 btc_rsi_momentum.py Python 137L · 4.5 KB

│ ├─ 🐍 btc_trend_pullback.py Python 160L · 5.8 KB

│ ├─ 🐍 sol_kdj_swing.py Python 153L · 5.4 KB

│ └─ 🐍 sol_rsi_momentum.py Python 134L · 4.3 KB

├─ 📋 clawhub.json JSON 28L · 907 B

├─ 📋 conductor.json JSON 5L · 48 B

└─ 📝 SKILL.md Markdown 766L · 33.9 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`httpx`	`not pinned`	pip install	否	Used for API calls - standard HTTP client
`loguru`	`not pinned`	pip install	否	Logging library - standard
`matplotlib`	`not pinned`	pip install	否	Charting library - standard

安全亮点

✓ Comprehensive documentation in SKILL.md with explicit security rules

✓ Secure vault system for private keys using browser-based secure link submission

✓ All network communications are with legitimate financial APIs (Binance, CoinGecko, DeFi Llama)

✓ Strategy scripts execute in a sandboxed server environment, blocking os/subprocess/socket imports

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No base64-encoded execution or obfuscation detected

✓ No reverse shell, C2, or data theft patterns

✓ Clean codebase with no typosquatting or malicious dependencies