Crab Catch Security Report — Trusted | ClawSafe

5 /100

Crab Catch

Web3 research skill for collecting project data from social media, websites, code, and on-chain data

Legitimate Web3 research skill with transparent API authentication, local credential generation, and declared network access. The flagged base64 usage is standard cryptographic key decoding, not obfuscation.

Skill NameCrab Catch

Duration41.6s

Enginepi

✓

Safe to install

No action needed. This skill performs as documented - Web3 research with self-generated ECDSA credentials for API authentication.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md declares local report storage to ~/.crab-catch/
Network	`READ`	`READ`	✓ Aligned	SKILL.md declares API base URL https://crab-skill.opsat.io
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md requires 'npm install -g agent-browser' and 'agent-browser install'
Environment	`NONE`	`NONE`	—	No environment variable access detected
Skill Invoke	`READ`	`READ`	✓ Aligned	References twitter-analysis, github-analysis, onchain-audit sub-skills

1 Critical 8 findings

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

Buffer.from(pubKeyBase64, "base64"

scripts/crab_auth.js:101

💰

Medium Wallet Address 加密货币钱包地址

0xdAC17F958D2ee523a2206206994597C13D831ec7

API_EXPLORER.md:76

💰

Medium Wallet Address 加密货币钱包地址

0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045

API_EXPLORER.md:155

🔗

Medium External URL 外部 URL

https://crab-skill.opsat.io

SKILL.md:30

🔗

Medium External URL 外部 URL

https://crab-skill.opsat.io/api/onchain/*

onchain-audit/SKILL.md:21

🔗

Medium External URL 外部 URL

https://crab-skill.opsat.io/api/onchain-2/*

onchain-audit/SKILL.md:36

🔗

Medium External URL 外部 URL

https://crab-skill.opsat.io/api/explorer/*

onchain-audit/SKILL.md:56

📧

Info Email 邮箱地址

[email protected]

agent-browser/SKILL.md:80

File Tree

12 files · 87.0 KB · 2498 lines

Markdown 9f · 1681L JavaScript 3f · 817L

├─ ▾ 📁 agent-browser

│ └─ 📝 SKILL.md Markdown 97L · 2.7 KB

├─ ▾ 📁 github-analysis

│ └─ 📝 SKILL.md Markdown 38L · 1.3 KB

├─ ▾ 📁 gork-analysis

│ └─ 📝 SKILL.md Markdown 83L · 3.5 KB

├─ ▾ 📁 onchain-audit

│ └─ 📝 SKILL.md Markdown 107L · 3.8 KB

├─ ▾ 📁 scripts

│ ├─ 📜 crab_auth.js JavaScript 191L · 5.3 KB

│ ├─ 📜 crab-sign.js JavaScript 91L · 2.7 KB

│ └─ 📜 github_analyze.js JavaScript 535L · 16.6 KB

├─ ▾ 📁 twitter-analysis

│ └─ 📝 SKILL.md Markdown 143L · 5.7 KB

├─ 📝 API_EXPLORER.md Markdown 269L · 5.7 KB

├─ 📝 ARCHITECTURE.md Markdown 319L · 12.0 KB

├─ 📝 REPORT_TEMPLATE.md Markdown 189L · 8.5 KB

└─ 📝 SKILL.md Markdown 436L · 19.2 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`node`	`>=16`	builtin	No	Uses built-in crypto and fetch modules only
`agent-browser`	`*`	npm	No	External CLI tool, declared in SKILL.md

Security Positives

✓ Self-contained credential generation using Node.js crypto module (no external key harvesting)

✓ Proper file permissions (0o600) for credential storage in ~/.config/crab/

✓ All network requests go to declared API endpoint (https://crab-skill.opsat.io)

✓ No shell command execution - scripts use Node.js built-in modules only

✓ Transparent documentation - all API endpoints, authentication flow, and data sources clearly declared

✓ GitHub analysis uses official GitHub API with optional token authentication

✓ No obfuscation techniques - base64 usage is standard cryptographic key handling

✓ No sensitive path access (~/.ssh, ~/.aws, .env) - credentials are self-generated

Scan Report

File Tree

Dependencies 2 items

Security Positives