中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:1 day ago Rescan
20 /100
crawdaddy
Autonomous security scanner for post-quantum cryptography readiness, smart contracts, and agent credential exposure
This is a pure-documentation skill bundle with no executable code whatsoever — it claims autonomous security scanning capabilities in SKILL.md but contains zero scripts or implementation files, making it incapable of performing any of its advertised functions.
Skill Namecrawdaddy
Duration45.9s
Enginepi
Safe to install
Do not trust this skill to perform any actual security scanning. It has no code; it is purely marketing documentation. If you need genuine post-quantum security analysis, use a properly implemented tool.

Findings 3 items

Severity Finding Location
Medium
Zero executable code despite autonomous scanning claims Doc Mismatch
SKILL.md describes an 'autonomous security scanner' with 'static analysis + LLM-assisted semantic review', 'coverage' for 6+ languages, and 'agent credential exposure detection' — yet the package contains only 3 files (SKILL.md, README.md, package.json) with zero scripts, zero implementations. This is purely marketing copy with no functional delivery mechanism.
# CrawDaddy - Post-Quantum Security Scanner
Autonomous security scanner for...
→ A legitimate security tool would include scanning scripts or at minimum a _meta.json with allowed-tools declarations. This package cannot perform any of its advertised functions.
 SKILL.md:1
Low
No allowed-tools declaration in _meta.json Doc Mismatch
The _meta.json file is missing entirely (ENOENT). The skill declares no permitted tools, no resource access levels, and no permission model. Without this, the agent framework has no way to scope this skill's capabilities — which is suspicious for a tool claiming deep system access (filesystem scanning, credential detection).
file does not exist
→ A legitimate skill should have a _meta.json declaring filesystem:READ, network:READ, etc. for its claimed scanning behavior.
 _meta.json
Low
Embedded monetization in documentation Doc Mismatch
SKILL.md embeds a pricing table ($0.50–$5.00) and a crypto wallet address (0x25B50fEd69175e474F9702C0613413F8323809a8) with no executable path. This could be used for payment harvesting or tracking if the skill is promoted as a paid service.
$0.50 - Small projects (<10K LOC)
...
Wallet: 0x25B50fEd69175e474F9702C0613413F8323809a8
→ Monetization should be via a properly integrated payment mechanism, not embedded wallet addresses in documentation.
 SKILL.md:53
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No scripts, no file access code, no Read/Write tool usage
Network NONE NONE No WebFetch, curl, or HTTP client code present
Shell NONE NONE No Bash calls, no subprocess, no shell scripts
Environment NONE NONE No os.environ access or env file present
Skill Invoke NONE NONE No inter-skill invocation code
Clipboard NONE NONE No clipboard access code
Browser NONE NONE No browser automation code
Database NONE NONE No database connectivity code
3 findings
🔗
Medium External URL 外部 URL
https://quantumshieldlabs.dev/agent/
README.md:23
💰
Medium Wallet Address 加密货币钱包地址
0x25B50fEd69175e474F9702C0613413F8323809a8
SKILL.md:58
📧
Info Email 邮箱地址
[email protected]
README.md:22

File Tree

3 files · 5.2 KB · 164 lines
Markdown 2f · 137L JSON 1f · 27L
├─ 📋 package.json JSON 27L · 669 B
├─ 📝 README.md Markdown 27L · 670 B
└─ 📝 SKILL.md Markdown 110L · 3.9 KB

Security Positives

✓ No executable code means no direct attack surface — the skill cannot perform any harmful actions
✓ No sensitive file access, environment variable reads, or credential harvesting code
✓ No network requests, external IP connections, or data exfiltration mechanisms
✓ No obfuscation techniques (base64, eval, encoding) present
✓ No supply chain risk — no dependencies, no package manager files with runtime code
✓ No persistence mechanisms (cron, startup scripts, backdoors)