social-value 安全扫描报告 — 低风险 | ClawSafe

15 /100

social-value

Economic intelligence for sovereign AI agents — efficient micropayments via Breez SDK Liquid

This skill is pure documentation with no implementation scripts present; the actual wallet logic lives in the external `social-value` pip package, and declared capabilities align with the described Breez SDK functionality.

技能名称social-value

分析耗时28.6s

引擎pi

✓

可以安装

Approve for use. No malicious behavior detected in the skill files themselves. Monitor the external `social-value` package for supply chain issues since version pinning is loose.

安全发现 2 项

严重性	安全发现	位置
低危	Loose version pinning on breez-sdk-liquid 供应链 Dependency declared as breez-sdk-liquid>=0.11.0 allows any future version without review. While >= pinning is acceptable for major version stability, future minor/patch versions could introduce breaking changes or vulnerabilities. `"breez-sdk-liquid>=0.11.0"` → Pin to a specific version when possible, e.g., breez-sdk-liquid==0.11.0 or use a narrow range like >=0.11.0,<0.12.0	`metadata.json:26`
低危	External pip package not audited 供应链 The skill delegates all wallet logic to the external `social-value` pip package. This analysis only covers the skill's own files. The actual implementation, credential handling, and network behavior of social-value and breez-sdk-liquid were not reviewed. `pip install social-value` → Audit the social-value package separately before production use. Verify the package author and check for known vulnerabilities.	`SKILL.md:8`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No filesystem operations declared or present in skill files
网络访问	`NONE`	`NONE`	—	No network calls in skill files; network behavior delegated to Breez SDK runtime
命令执行	`NONE`	`NONE`	—	No shell execution in skill files; pip install is handled by runtime
环境变量	`READ`	`READ`	✓ 一致	SOCIAL_VALUE_MNEMONIC and BREEZ_API_KEY read from env vars as declared in SKILL.…

5 项发现

🔗

中危外部 URL 外部 URL

https://breez.technology/sdk/

SKILL.md:48

🔗

中危外部 URL 外部 URL

https://clawhub.ai/vveerrgg/nostrkey

SKILL.md:52

🔗

中危外部 URL 外部 URL

https://clawhub.ai/vveerrgg/social-alignment

SKILL.md:54

🔗

中危外部 URL 外部 URL

https://clawhub.ai/vveerrgg/sense-memory

SKILL.md:56

🔗

中危外部 URL 外部 URL

https://huje.tools

metadata.json:8

目录结构

2 文件 · 15.3 KB · 363 行

Markdown 1f · 302L JSON 1f · 61L

├─ 📋 metadata.json JSON 61L · 1.5 KB

└─ 📝 SKILL.md Markdown 302L · 13.8 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`social-value`	`unspecified`	pip	否	External package; not audited in this skill scan
`breez-sdk-liquid`	`>=0.11.0`	pip	否	Version not pinned to specific release

安全亮点

✓ No malicious code detected in skill files

✓ Mnemonic handling properly declared as environment variable, not hardcoded

✓ Security rules clearly documented: no telemetry, funds are real, test on testnet first

✓ No shell/filesystem/network operations embedded in skill documentation

✓ Clear separation between skill docs and actual implementation

✓ Legitimate Bitcoin/Lightning payment use case with Breez SDK