中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
fxai-skill
创建 V5 代币(USDT/BNB 池子可选,0税或税收四档);支持 USDT/BNB 买入,按数量或按比例卖出到 USDT/BNB
This is a legitimate BNB Chain DeFi skill for token creation and trading. All behavior (file reads, network uploads, blockchain calls) is fully documented and necessary for the stated purpose. No credential theft, exfiltration, obfuscation, or hidden functionality detected.
技能名称fxai-skill
分析耗时37.2s
引擎pi
可以安装
No action needed. Skill is safe to use for its stated DeFi token creation and trading purpose.

安全发现 1 项

严重性 安全发现 位置
低危
Dependency versions not pinned 供应链
package.json uses caret (^) version ranges for axios and viem, allowing minor/patch updates. This introduces supply chain risk.
"axios": "^1.6.0"
→ Pin exact versions (e.g., "axios": "1.6.0") to ensure reproducible builds and avoid unexpected updates.
 package.json:13
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 upload-token-meta.js reads local image files for token metadata upload
网络访问 READ READ ✓ 一致 upload-token-meta.js POSTs to https://funcs.flap.sh/api/upload (documented in SK…
命令执行 WRITE WRITE ✓ 一致 BNB Chain MCP handles on-chain transactions; scripts use node CLI (documented)
环境变量 READ READ ✓ 一致 PRIVATE_KEY read by BNB Chain MCP for transaction signing (documented requiremen…
技能调用 READ READ ✓ 一致 Triggered by user input containing 'FXAI'
15 项发现
🔗
中危 外部 URL 外部 URL
https://docs.bnbchain.org/showcase/mcp/skills/
README.md:3
💰
中危 钱包地址 加密货币钱包地址
0x8f059fEb5f34031EfFA024e9EB8C9968BfFE516a
README.md:9
🔗
中危 外部 URL 外部 URL
https://funcs.flap.sh/api/upload
README.md:21
💰
中危 钱包地址 加密货币钱包地址
0x55d398326f99059fF775485246999027B3197955
SKILL.md:17
🔗
中危 外部 URL 外部 URL
https://paulmillr.com/funding/
package-lock.json:31
🔗
中危 外部 URL 外部 URL
https://docs.flap.sh/flap/developers/token-launcher-developers/launch-token-through-portal
scripts/find-vanity-salt.js:4
🔗
中危 外部 URL 外部 URL
https://docs.flap.sh/flap/developers/token-launcher-developers/deployed-contract-addresses
scripts/find-vanity-salt.js:13
🔗
中危 外部 URL 外部 URL
https://docs.flap.sh/flap/developers/token-launcher-developers/launch-token-through-portal#3-find-the-salt-vanity-suffix
scripts/find-vanity-salt.js:14
💰
中危 钱包地址 加密货币钱包地址
0xe2cE6ab80874Fa9Fa2aAE65D277Dd6B8e65C9De0
scripts/find-vanity-salt.js:16
💰
中危 钱包地址 加密货币钱包地址
0x8b4329947e34b6d56d71a3385cac122bade7d78d
scripts/find-vanity-salt.js:17
💰
中危 钱包地址 加密货币钱包地址
0x29e6383F0ce68507b5A72a53c2B118a118332aA8
scripts/find-vanity-salt.js:18
💰
中危 钱包地址 加密货币钱包地址
0xae562c6A05b798499507c6276C6Ed796027807BA
scripts/find-vanity-salt.js:19
💰
中危 钱包地址 加密货币钱包地址
0x3d602d80600a3d3981f3363d3d373d3d3d363d73
scripts/find-vanity-salt.js:23
🔗
中危 外部 URL 外部 URL
https://funcs.flap.sh/api/upload(必须用此
scripts/upload-token-meta.js:5
💰
中危 钱包地址 加密货币钱包地址
0x0000000000000000000000000000000000000000
scripts/upload-token-meta.js:39

目录结构

8 文件 · 36.0 KB · 1152 行
JSON 3f · 527L Markdown 3f · 404L JavaScript 2f · 221L
├─ 📁 references
│ └─ 📝 contract-abi.md Markdown 176L · 4.6 KB
├─ 📁 scripts
│ ├─ 📜 find-vanity-salt.js JavaScript 109L · 4.1 KB
│ └─ 🔑 upload-token-meta.js JavaScript 112L · 3.3 KB
├─ 📋 clawhub.json JSON 12L · 753 B
├─ 📋 package-lock.json JSON 500L · 16.6 KB
├─ 📋 package.json JSON 15L · 377 B
├─ 📝 README.md Markdown 88L · 1.8 KB
└─ 📝 SKILL.md Markdown 140L · 4.4 KB

依赖分析 3 项

包名版本来源已知漏洞备注
axios ^1.6.0 npm Caret range allows updates; no lockfile pinning
form-data ^4.0.0 npm Caret range allows updates
viem ^2.0.0 npm Caret range allows updates; no lockfile pinning

安全亮点

✓ No credential theft or exfiltration — PRIVATE_KEY stays within BNB Chain MCP, never accessed by skill scripts
✓ No obfuscation — all code is plain, readable JavaScript with no eval, atob, or base64 payloads
✓ All capabilities declared in SKILL.md and README.md — no hidden functionality
✓ find-vanity-salt.js performs pure local computation with no network calls
✓ upload-token-meta.js only uploads user-provided image + metadata to Flap API, returns IPFS CID
✓ No remote script execution (no curl|bash, wget|sh)
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ Legitimate DeFi tool with well-documented on-chain token creation and trading functionality