github-bounty-finder 安全扫描报告 — 低风险 | ClawSafe

20 /100

github-bounty-finder

Scan Algora/GitHub for high-value bounties

Legitimate bounty scanning tool with documented functionality; minor security gaps around undocumented resource permissions and unpinned dependencies.

技能名称github-bounty-finder

分析耗时27.0s

引擎pi

✓

可以安装

Declare explicit permission requirements in SKILL.md and pin dependency versions to address supply chain risk.

安全发现 3 项

严重性	安全发现	位置
低危	Missing permission declarations 文档欺骗 SKILL.md does not declare the network:READ or filesystem:WRITE permissions used by the tool `No declared permissions section` → Add a 'Permissions' or 'Required Capabilities' section explicitly listing network:READ and filesystem:WRITE	`SKILL.md:1`
低危	Unpinned dependency versions 供应链 package.json uses caret ranges (^1.6.0) for all dependencies, risking silent malicious updates `"axios": "^1.6.0"` → Pin to exact versions: "axios": "1.6.0"	`package.json:19`
提示	Unused dependency 供应链 node-fetch is listed but not used (axios handles HTTP requests) `"node-fetch": "^2.7.0"` → Remove node-fetch if not used to reduce attack surface	`package.json:22`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`WRITE`	✗ 越权	bin/cli.js:89 - fs.writeFileSync for --output flag
网络访问	`NONE`	`READ`	✗ 越权	src/scanner.js:32,63 - axios calls to github/algora APIs
环境变量	`NONE`	`READ`	✗ 越权	src/scanner.js:9-10 - reads GITHUB_TOKEN, ALGORA_API_KEY
命令执行	`NONE`	`NONE`	—	No shell execution found

6 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/version-1.0.0-blue.svg

README.md:5

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/license-MIT-green.svg

README.md:6

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/node-%3E%3D18.0.0-brightgreen.svg

README.md:7

🔗

中危外部 URL 外部 URL

https://algora.io/settings/api

README.md:79

🔗

中危外部 URL 外部 URL

https://api.algora.io/v1/bounties

src/scanner.js:64

📧

提示邮箱邮箱地址

[email protected]

README.md:248

目录结构

6 文件 · 28.0 KB · 1056 行

Markdown 2f · 468L JavaScript 2f · 451L JSON 2f · 137L

├─ ▾ 📁 bin

│ └─ 📜 cli.js JavaScript 172L · 6.5 KB

├─ ▾ 📁 src

│ └─ 📜 scanner.js JavaScript 279L · 7.8 KB

├─ 📋 clawhub.json JSON 103L · 2.5 KB

├─ 📋 package.json JSON 34L · 745 B

├─ 📝 README.md Markdown 263L · 6.1 KB

└─ 📝 SKILL.md Markdown 205L · 4.4 KB

依赖分析 5 项

包名	版本	来源	已知漏洞	备注
`axios`	`^1.6.0`	npm	否	Version range allows updates
`chalk`	`^4.1.2`	npm	否	Safe terminal styling
`commander`	`^11.1.0`	npm	否	Safe CLI framework
`dotenv`	`^16.3.1`	npm	否	Safe env loading
`node-fetch`	`^2.7.0`	npm	否	Not actually used in code

安全亮点

✓ No credential exfiltration - tokens used only for API authentication

✓ No shell execution or command injection vectors

✓ No base64 obfuscation or suspicious encoding patterns

✓ Output file writing is explicitly documented in SKILL.md

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)

✓ No persistence mechanisms (no cron, startup hooks, or backdoors)

✓ Clear, straightforward codebase with no hidden functionality