github-bounty-finder Security Report — Low Risk | ClawSafe

20 /100

github-bounty-finder

Scan Algora/GitHub for high-value bounties

Legitimate bounty scanning tool with documented functionality; minor security gaps around undocumented resource permissions and unpinned dependencies.

Skill Namegithub-bounty-finder

Duration27.0s

Enginepi

✓

Safe to install

Declare explicit permission requirements in SKILL.md and pin dependency versions to address supply chain risk.

Findings 3 items

Severity	Finding	Location
Low	Missing permission declarations Doc Mismatch SKILL.md does not declare the network:READ or filesystem:WRITE permissions used by the tool `No declared permissions section` → Add a 'Permissions' or 'Required Capabilities' section explicitly listing network:READ and filesystem:WRITE	`SKILL.md:1`
Low	Unpinned dependency versions Supply Chain package.json uses caret ranges (^1.6.0) for all dependencies, risking silent malicious updates `"axios": "^1.6.0"` → Pin to exact versions: "axios": "1.6.0"	`package.json:19`
Info	Unused dependency Supply Chain node-fetch is listed but not used (axios handles HTTP requests) `"node-fetch": "^2.7.0"` → Remove node-fetch if not used to reduce attack surface	`package.json:22`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✗ Violation	bin/cli.js:89 - fs.writeFileSync for --output flag
Network	`NONE`	`READ`	✗ Violation	src/scanner.js:32,63 - axios calls to github/algora APIs
Environment	`NONE`	`READ`	✗ Violation	src/scanner.js:9-10 - reads GITHUB_TOKEN, ALGORA_API_KEY
Shell	`NONE`	`NONE`	—	No shell execution found

6 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/version-1.0.0-blue.svg

README.md:5

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/license-MIT-green.svg

README.md:6

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/node-%3E%3D18.0.0-brightgreen.svg

README.md:7

🔗

Medium External URL 外部 URL

https://algora.io/settings/api

README.md:79

🔗

Medium External URL 外部 URL

https://api.algora.io/v1/bounties

src/scanner.js:64

📧

Info Email 邮箱地址

[email protected]

README.md:248

File Tree

6 files · 28.0 KB · 1056 lines

Markdown 2f · 468L JavaScript 2f · 451L JSON 2f · 137L

├─ ▾ 📁 bin

│ └─ 📜 cli.js JavaScript 172L · 6.5 KB

├─ ▾ 📁 src

│ └─ 📜 scanner.js JavaScript 279L · 7.8 KB

├─ 📋 clawhub.json JSON 103L · 2.5 KB

├─ 📋 package.json JSON 34L · 745 B

├─ 📝 README.md Markdown 263L · 6.1 KB

└─ 📝 SKILL.md Markdown 205L · 4.4 KB

Dependencies 5 items

Package	Version	Source	Known Vulns	Notes
`axios`	`^1.6.0`	npm	No	Version range allows updates
`chalk`	`^4.1.2`	npm	No	Safe terminal styling
`commander`	`^11.1.0`	npm	No	Safe CLI framework
`dotenv`	`^16.3.1`	npm	No	Safe env loading
`node-fetch`	`^2.7.0`	npm	No	Not actually used in code

Security Positives

✓ No credential exfiltration - tokens used only for API authentication

✓ No shell execution or command injection vectors

✓ No base64 obfuscation or suspicious encoding patterns

✓ Output file writing is explicitly documented in SKILL.md

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)

✓ No persistence mechanisms (no cron, startup hooks, or backdoors)

✓ Clear, straightforward codebase with no hidden functionality

Scan Report

Findings 3 items

File Tree

Dependencies 5 items

Security Positives