fxai-skill Security Report — Trusted | ClawSafe

5 /100

fxai-skill

创建 V5 代币（USDT/BNB 池子可选，0税或税收四档）；支持 USDT/BNB 买入，按数量或按比例卖出到 USDT/BNB

This is a legitimate BNB Chain DeFi skill for token creation and trading. All behavior (file reads, network uploads, blockchain calls) is fully documented and necessary for the stated purpose. No credential theft, exfiltration, obfuscation, or hidden functionality detected.

Skill Namefxai-skill

Duration37.2s

Enginepi

✓

Safe to install

No action needed. Skill is safe to use for its stated DeFi token creation and trading purpose.

Findings 1 items

Severity	Finding	Location
Low	Dependency versions not pinned Supply Chain package.json uses caret (^) version ranges for axios and viem, allowing minor/patch updates. This introduces supply chain risk. `"axios": "^1.6.0"` → Pin exact versions (e.g., "axios": "1.6.0") to ensure reproducible builds and avoid unexpected updates.	`package.json:13`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	upload-token-meta.js reads local image files for token metadata upload
Network	`READ`	`READ`	✓ Aligned	upload-token-meta.js POSTs to https://funcs.flap.sh/api/upload (documented in SK…
Shell	`WRITE`	`WRITE`	✓ Aligned	BNB Chain MCP handles on-chain transactions; scripts use node CLI (documented)
Environment	`READ`	`READ`	✓ Aligned	PRIVATE_KEY read by BNB Chain MCP for transaction signing (documented requiremen…
Skill Invoke	`READ`	`READ`	✓ Aligned	Triggered by user input containing 'FXAI'

15 findings

🔗

Medium External URL 外部 URL

https://docs.bnbchain.org/showcase/mcp/skills/

README.md:3

💰

Medium Wallet Address 加密货币钱包地址

0x8f059fEb5f34031EfFA024e9EB8C9968BfFE516a

README.md:9

🔗

Medium External URL 外部 URL

https://funcs.flap.sh/api/upload

README.md:21

💰

Medium Wallet Address 加密货币钱包地址

0x55d398326f99059fF775485246999027B3197955

SKILL.md:17

🔗

Medium External URL 外部 URL

https://paulmillr.com/funding/

package-lock.json:31

🔗

Medium External URL 外部 URL

https://docs.flap.sh/flap/developers/token-launcher-developers/launch-token-through-portal

scripts/find-vanity-salt.js:4

🔗

Medium External URL 外部 URL

https://docs.flap.sh/flap/developers/token-launcher-developers/deployed-contract-addresses

scripts/find-vanity-salt.js:13

🔗

Medium External URL 外部 URL

https://docs.flap.sh/flap/developers/token-launcher-developers/launch-token-through-portal#3-find-the-salt-vanity-suffix

scripts/find-vanity-salt.js:14

💰

Medium Wallet Address 加密货币钱包地址

0xe2cE6ab80874Fa9Fa2aAE65D277Dd6B8e65C9De0

scripts/find-vanity-salt.js:16

💰

Medium Wallet Address 加密货币钱包地址

0x8b4329947e34b6d56d71a3385cac122bade7d78d

scripts/find-vanity-salt.js:17

💰

Medium Wallet Address 加密货币钱包地址

0x29e6383F0ce68507b5A72a53c2B118a118332aA8

scripts/find-vanity-salt.js:18

💰

Medium Wallet Address 加密货币钱包地址

0xae562c6A05b798499507c6276C6Ed796027807BA

scripts/find-vanity-salt.js:19

💰

Medium Wallet Address 加密货币钱包地址

0x3d602d80600a3d3981f3363d3d373d3d3d363d73

scripts/find-vanity-salt.js:23

🔗

Medium External URL 外部 URL

https://funcs.flap.sh/api/upload（必须用此

scripts/upload-token-meta.js:5

💰

Medium Wallet Address 加密货币钱包地址

0x0000000000000000000000000000000000000000

scripts/upload-token-meta.js:39

File Tree

8 files · 36.0 KB · 1152 lines

JSON 3f · 527L Markdown 3f · 404L JavaScript 2f · 221L

├─ ▾ 📁 references

│ └─ 📝 contract-abi.md Markdown 176L · 4.6 KB

├─ ▾ 📁 scripts

│ ├─ 📜 find-vanity-salt.js JavaScript 109L · 4.1 KB

│ └─ 🔑 upload-token-meta.js ⚠ JavaScript 112L · 3.3 KB

├─ 📋 clawhub.json JSON 12L · 753 B

├─ 📋 package-lock.json JSON 500L · 16.6 KB

├─ 📋 package.json JSON 15L · 377 B

├─ 📝 README.md Markdown 88L · 1.8 KB

└─ 📝 SKILL.md Markdown 140L · 4.4 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`axios`	`^1.6.0`	npm	No	Caret range allows updates; no lockfile pinning
`form-data`	`^4.0.0`	npm	No	Caret range allows updates
`viem`	`^2.0.0`	npm	No	Caret range allows updates; no lockfile pinning

Security Positives

✓ No credential theft or exfiltration — PRIVATE_KEY stays within BNB Chain MCP, never accessed by skill scripts

✓ No obfuscation — all code is plain, readable JavaScript with no eval, atob, or base64 payloads

✓ All capabilities declared in SKILL.md and README.md — no hidden functionality

✓ find-vanity-salt.js performs pure local computation with no network calls

✓ upload-token-meta.js only uploads user-provided image + metadata to Flap API, returns IPFS CID

✓ No remote script execution (no curl|bash, wget|sh)

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ Legitimate DeFi tool with well-documented on-chain token creation and trading functionality

Scan Report

Findings 1 items

File Tree

Dependencies 3 items

Security Positives