中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:1 day ago Rescan
15 /100
social-value
Economic intelligence for sovereign AI agents — efficient micropayments via Breez SDK Liquid
This skill is pure documentation with no implementation scripts present; the actual wallet logic lives in the external `social-value` pip package, and declared capabilities align with the described Breez SDK functionality.
Skill Namesocial-value
Duration28.6s
Enginepi
Safe to install
Approve for use. No malicious behavior detected in the skill files themselves. Monitor the external `social-value` package for supply chain issues since version pinning is loose.

Findings 2 items

Severity Finding Location
Low
Loose version pinning on breez-sdk-liquid Supply Chain
Dependency declared as breez-sdk-liquid>=0.11.0 allows any future version without review. While >= pinning is acceptable for major version stability, future minor/patch versions could introduce breaking changes or vulnerabilities.
"breez-sdk-liquid>=0.11.0"
→ Pin to a specific version when possible, e.g., breez-sdk-liquid==0.11.0 or use a narrow range like >=0.11.0,<0.12.0
 metadata.json:26
Low
External pip package not audited Supply Chain
The skill delegates all wallet logic to the external `social-value` pip package. This analysis only covers the skill's own files. The actual implementation, credential handling, and network behavior of social-value and breez-sdk-liquid were not reviewed.
pip install social-value
→ Audit the social-value package separately before production use. Verify the package author and check for known vulnerabilities.
 SKILL.md:8
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No filesystem operations declared or present in skill files
Network NONE NONE No network calls in skill files; network behavior delegated to Breez SDK runtime
Shell NONE NONE No shell execution in skill files; pip install is handled by runtime
Environment READ READ ✓ Aligned SOCIAL_VALUE_MNEMONIC and BREEZ_API_KEY read from env vars as declared in SKILL.…
5 findings
🔗
Medium External URL 外部 URL
https://breez.technology/sdk/
SKILL.md:48
🔗
Medium External URL 外部 URL
https://clawhub.ai/vveerrgg/nostrkey
SKILL.md:52
🔗
Medium External URL 外部 URL
https://clawhub.ai/vveerrgg/social-alignment
SKILL.md:54
🔗
Medium External URL 外部 URL
https://clawhub.ai/vveerrgg/sense-memory
SKILL.md:56
🔗
Medium External URL 外部 URL
https://huje.tools
metadata.json:8

File Tree

2 files · 15.3 KB · 363 lines
Markdown 1f · 302L JSON 1f · 61L
├─ 📋 metadata.json JSON 61L · 1.5 KB
└─ 📝 SKILL.md Markdown 302L · 13.8 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
social-value unspecified pip No External package; not audited in this skill scan
breez-sdk-liquid >=0.11.0 pip No Version not pinned to specific release

Security Positives

✓ No malicious code detected in skill files
✓ Mnemonic handling properly declared as environment variable, not hardcoded
✓ Security rules clearly documented: no telemetry, funds are real, test on testnet first
✓ No shell/filesystem/network operations embedded in skill documentation
✓ Clear separation between skill docs and actual implementation
✓ Legitimate Bitcoin/Lightning payment use case with Breez SDK