Crab Catch 安全扫描报告 — 可信 | ClawSafe

5 /100

Crab Catch

Web3 research skill for collecting project data from social media, websites, code, and on-chain data

Legitimate Web3 research skill with transparent API authentication, local credential generation, and declared network access. The flagged base64 usage is standard cryptographic key decoding, not obfuscation.

技能名称Crab Catch

分析耗时41.6s

引擎pi

✓

可以安装

No action needed. This skill performs as documented - Web3 research with self-generated ECDSA credentials for API authentication.

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md declares local report storage to ~/.crab-catch/
网络访问	`READ`	`READ`	✓ 一致	SKILL.md declares API base URL https://crab-skill.opsat.io
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md requires 'npm install -g agent-browser' and 'agent-browser install'
环境变量	`NONE`	`NONE`	—	No environment variable access detected
技能调用	`READ`	`READ`	✓ 一致	References twitter-analysis, github-analysis, onchain-audit sub-skills

1 严重 8 项发现

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(pubKeyBase64, "base64"

scripts/crab_auth.js:101

💰

中危钱包地址加密货币钱包地址

0xdAC17F958D2ee523a2206206994597C13D831ec7

API_EXPLORER.md:76

💰

中危钱包地址加密货币钱包地址

0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045

API_EXPLORER.md:155

🔗

中危外部 URL 外部 URL

https://crab-skill.opsat.io

SKILL.md:30

🔗

中危外部 URL 外部 URL

https://crab-skill.opsat.io/api/onchain/*

onchain-audit/SKILL.md:21

🔗

中危外部 URL 外部 URL

https://crab-skill.opsat.io/api/onchain-2/*

onchain-audit/SKILL.md:36

🔗

中危外部 URL 外部 URL

https://crab-skill.opsat.io/api/explorer/*

onchain-audit/SKILL.md:56

📧

提示邮箱邮箱地址

[email protected]

agent-browser/SKILL.md:80

目录结构

12 文件 · 87.0 KB · 2498 行

Markdown 9f · 1681L JavaScript 3f · 817L

├─ ▾ 📁 agent-browser

│ └─ 📝 SKILL.md Markdown 97L · 2.7 KB

├─ ▾ 📁 github-analysis

│ └─ 📝 SKILL.md Markdown 38L · 1.3 KB

├─ ▾ 📁 gork-analysis

│ └─ 📝 SKILL.md Markdown 83L · 3.5 KB

├─ ▾ 📁 onchain-audit

│ └─ 📝 SKILL.md Markdown 107L · 3.8 KB

├─ ▾ 📁 scripts

│ ├─ 📜 crab_auth.js JavaScript 191L · 5.3 KB

│ ├─ 📜 crab-sign.js JavaScript 91L · 2.7 KB

│ └─ 📜 github_analyze.js JavaScript 535L · 16.6 KB

├─ ▾ 📁 twitter-analysis

│ └─ 📝 SKILL.md Markdown 143L · 5.7 KB

├─ 📝 API_EXPLORER.md Markdown 269L · 5.7 KB

├─ 📝 ARCHITECTURE.md Markdown 319L · 12.0 KB

├─ 📝 REPORT_TEMPLATE.md Markdown 189L · 8.5 KB

└─ 📝 SKILL.md Markdown 436L · 19.2 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`node`	`>=16`	builtin	否	Uses built-in crypto and fetch modules only
`agent-browser`	`*`	npm	否	External CLI tool, declared in SKILL.md

安全亮点

✓ Self-contained credential generation using Node.js crypto module (no external key harvesting)

✓ Proper file permissions (0o600) for credential storage in ~/.config/crab/

✓ All network requests go to declared API endpoint (https://crab-skill.opsat.io)

✓ No shell command execution - scripts use Node.js built-in modules only

✓ Transparent documentation - all API endpoints, authentication flow, and data sources clearly declared

✓ GitHub analysis uses official GitHub API with optional token authentication

✓ No obfuscation techniques - base64 usage is standard cryptographic key handling

✓ No sensitive path access (~/.ssh, ~/.aws, .env) - credentials are self-generated