solana-monitor 安全扫描报告 — 可信 | ClawSafe

5 /100

solana-monitor

实时监控 Solana 价格、大额转账、流动性变化，支持 Telegram/邮件警报

Legitimate Solana blockchain monitoring tool with transparent functionality for price tracking, whale transfer detection, and alert notifications via Telegram/Email.

技能名称solana-monitor

分析耗时29.1s

引擎pi

✓

可以安装

This skill is safe to use. No malicious behavior detected. Standard security practices include never sharing API credentials and using app-specific passwords for email notifications.

安全发现 2 项

严重性	安全发现	位置
低危	Documentation references non-existent config file 文档欺骗 SKILL.md mentions config/config.yaml for configuration, but the actual implementation uses constructor parameters. No config.yaml file is present. 创建配置文件 `config/config.yaml` → Update SKILL.md to reflect actual configuration method (constructor parameters) or implement config file loading.	`SKILL.md:55`
提示	Dependencies not strictly pinned 供应链 requirements.txt uses >= for version constraints which allows updates. python-dotenv is imported but not actively used in reviewed code. `python-dotenv>=1.0.0` → Consider pinning exact versions or removing unused dependencies.	`requirements.txt:2`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	requests.get/post to CoinGecko API, Solana RPC, Telegram API
文件系统	`NONE`	`NONE`	—	No file operations in code
命令执行	`NONE`	`NONE`	—	No subprocess or os.system calls
环境变量	`NONE`	`NONE`	—	No os.environ access; credentials passed via constructor
技能调用	`NONE`	`NONE`	—	No skill invocation capabilities
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

6 项发现

🔗

中危外部 URL 外部 URL

https://api.telegram.org/bot

scripts/notifier.py:32

🔗

中危外部 URL 外部 URL

https://solscan.io/tx/

scripts/notifier.py:119

🔗

中危外部 URL 外部 URL

https://api.coingecko.com/api/v3

scripts/price_monitor.py:17

🔗

中危外部 URL 外部 URL

https://api.mainnet-beta.solana.com

scripts/whale_monitor.py:17

📧

提示邮箱邮箱地址

[email protected]

README.md:43

📧

提示邮箱邮箱地址

[email protected]

README.md:175

目录结构

7 文件 · 32.6 KB · 1230 行

Python 3f · 856L Markdown 2f · 330L JSON 1f · 42L Text 1f · 2L

├─ ▾ 📁 scripts

│ ├─ 🐍 notifier.py Python 319L · 9.6 KB

│ ├─ 🐍 price_monitor.py Python 263L · 7.6 KB

│ └─ 🐍 whale_monitor.py Python 274L · 8.5 KB

├─ 📋 _meta.json JSON 42L · 1005 B

├─ 📝 README.md Markdown 187L · 3.5 KB

├─ 📄 requirements.txt Text 2L · 38 B

└─ 📝 SKILL.md Markdown 143L · 2.3 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`requests`	`>=2.28.0`	pip	否	Well-maintained HTTP library
`python-dotenv`	`>=1.0.0`	pip	否	Environment variable loader, not actively used in code

安全亮点

✓ Uses only public, well-known APIs (CoinGecko, Solana RPC, Telegram) with no direct IP connections

✓ No credential harvesting - credentials are used legitimately for notification delivery only

✓ No shell execution or subprocess usage

✓ No data exfiltration or C2 communication patterns

✓ Code is readable and transparent with no obfuscation

✓ Dependencies are standard, reputable Python packages (requests, python-dotenv)

✓ All functionality declared in SKILL.md matches actual implementation