crawdaddy 安全扫描报告 — 低风险 | ClawSafe

20 /100

crawdaddy

Autonomous security scanner for post-quantum cryptography readiness, smart contracts, and agent credential exposure

This is a pure-documentation skill bundle with no executable code whatsoever — it claims autonomous security scanning capabilities in SKILL.md but contains zero scripts or implementation files, making it incapable of performing any of its advertised functions.

技能名称crawdaddy

分析耗时45.9s

引擎pi

✓

可以安装

Do not trust this skill to perform any actual security scanning. It has no code; it is purely marketing documentation. If you need genuine post-quantum security analysis, use a properly implemented tool.

安全发现 3 项

严重性	安全发现	位置
中危	Zero executable code despite autonomous scanning claims 文档欺骗 SKILL.md describes an 'autonomous security scanner' with 'static analysis + LLM-assisted semantic review', 'coverage' for 6+ languages, and 'agent credential exposure detection' — yet the package contains only 3 files (SKILL.md, README.md, package.json) with zero scripts, zero implementations. This is purely marketing copy with no functional delivery mechanism. `# CrawDaddy - Post-Quantum Security Scanner Autonomous security scanner for...` → A legitimate security tool would include scanning scripts or at minimum a _meta.json with allowed-tools declarations. This package cannot perform any of its advertised functions.	`SKILL.md:1`
低危	No allowed-tools declaration in _meta.json 文档欺骗 The _meta.json file is missing entirely (ENOENT). The skill declares no permitted tools, no resource access levels, and no permission model. Without this, the agent framework has no way to scope this skill's capabilities — which is suspicious for a tool claiming deep system access (filesystem scanning, credential detection). `file does not exist` → A legitimate skill should have a _meta.json declaring filesystem:READ, network:READ, etc. for its claimed scanning behavior.	`_meta.json`
低危	Embedded monetization in documentation 文档欺骗 SKILL.md embeds a pricing table ($0.50–$5.00) and a crypto wallet address (0x25B50fEd69175e474F9702C0613413F8323809a8) with no executable path. This could be used for payment harvesting or tracking if the skill is promoted as a paid service. `$0.50 - Small projects (<10K LOC) ... Wallet: 0x25B50fEd69175e474F9702C0613413F8323809a8` → Monetization should be via a properly integrated payment mechanism, not embedded wallet addresses in documentation.	`SKILL.md:53`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No scripts, no file access code, no Read/Write tool usage
网络访问	`NONE`	`NONE`	—	No WebFetch, curl, or HTTP client code present
命令执行	`NONE`	`NONE`	—	No Bash calls, no subprocess, no shell scripts
环境变量	`NONE`	`NONE`	—	No os.environ access or env file present
技能调用	`NONE`	`NONE`	—	No inter-skill invocation code
剪贴板	`NONE`	`NONE`	—	No clipboard access code
浏览器	`NONE`	`NONE`	—	No browser automation code
数据库	`NONE`	`NONE`	—	No database connectivity code

3 项发现

🔗

中危外部 URL 外部 URL

https://quantumshieldlabs.dev/agent/

README.md:23

💰

中危钱包地址加密货币钱包地址

0x25B50fEd69175e474F9702C0613413F8323809a8

SKILL.md:58

📧

提示邮箱邮箱地址

[email protected]

README.md:22

目录结构

3 文件 · 5.2 KB · 164 行

Markdown 2f · 137L JSON 1f · 27L

├─ 📋 package.json JSON 27L · 669 B

├─ 📝 README.md Markdown 27L · 670 B

└─ 📝 SKILL.md Markdown 110L · 3.9 KB

安全亮点

✓ No executable code means no direct attack surface — the skill cannot perform any harmful actions

✓ No sensitive file access, environment variable reads, or credential harvesting code

✓ No network requests, external IP connections, or data exfiltration mechanisms

✓ No obfuscation techniques (base64, eval, encoding) present

✓ No supply chain risk — no dependencies, no package manager files with runtime code

✓ No persistence mechanisms (cron, startup scripts, backdoors)