Bitget Trader 安全扫描报告 — 可疑 | ClawSafe

45 /100

Bitget Trader

Professional Bitget integration for automated grid trading and portfolio management

Legitimate cryptocurrency trading automation for Bitget exchange with critically sensitive API credentials embedded in plaintext config files, representing significant credential theft risk if compromised.

技能名称Bitget Trader

分析耗时82.7s

引擎pi

⚠

谨慎使用

Immediately rotate all exposed API credentials. Never store plaintext secrets in configuration files; use environment variables or a secrets manager instead. Enable IP whitelisting on the exchange.

攻击链 3 步

⬡

提权 Attacker gains read access to workspace directory

config.json:1

◉

影响 Extracts plaintext API credentials from config.json or multi_agent_config.json

config.json:2

◉

影响 Uses harvested credentials to execute unauthorized trades on Bitget exchange

api.bitget.com

安全发现 4 项

严重性	安全发现	位置
严重	Exposed API Credentials in Plaintext 凭证窃取 Real Bitget exchange API credentials (apiKey, secretKey, passphrase) are embedded in plaintext in config.json and multi_agent_config.json. These credentials enable spot trading and could be harvested for unauthorized trading or fund theft. `{"apiKey": "bg_73063f99df20ccf3320032e80d0bd1f3", "secretKey": "ecdc70207a6395da7772210d1c6c8bf1a88f47af83b24dec2aa066d91f495387", "passphrase": "Lin12345"}` → Use environment variables (BITGET_API_KEY, BITGET_SECRET_KEY) instead of storing credentials in files. Add config.json to .gitignore immediately.	`config.json:1`
中危	Network Capability Mismatch 文档欺骗 SKILL.md declares network:READ but the scripts perform POST requests to place/cancel orders, representing WRITE operations on the exchange. `Documentation describes 'monitor' and 'check balance' but actual scripts execute trades` → Update SKILL.md to declare network:WRITE permission and document all trading capabilities	`SKILL.md:1`
中危	Undeclared Shell Execution 权限提升 setup-cron.js and bitget-cli.js use execSync to run openclaw CLI commands and spawn Node.js scripts. This shell:WRITE capability is not declared in SKILL.md. `execSync('openclaw cron list', { encoding: 'utf8' })` → Document shell execution requirements in SKILL.md if intentional, or refactor to use native Node.js APIs	`setup-cron.js:28`
低危	HttpsProxyAgent Dependency 供应链 Some scripts reference https-proxy-agent package for proxy support, but this external dependency is not declared in any requirements.txt or package.json. `HttpsProxyAgent = require('https-proxy-agent').HttpsProxyAgent` → Create package.json to document all dependencies and versions	`rebalance.js:8`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	All scripts read config.json and grid_settings.json
网络访问	`READ`	`WRITE`	✗ 越权	Places/cancels orders, not just reads data
命令执行	`NONE`	`WRITE`	✗ 越权	setup-cron.js:28, bitget-cli.js:89 use execSync
技能调用	`NONE`	`READ`	✓ 一致	CLI dispatches to other scripts via execSync

10 项发现

🔗

中危外部 URL 外部 URL

https://api.bitget.com/api/v2/spot/market/tickers?symbol=SOLUSDT

GRID_STATUS_2026-03-17_2208.md:117

🔗

中危外部 URL 外部 URL

https://www.bitget.com

MANUAL_SETUP.md:26

🔗

中危外部 URL 外部 URL

https://api.bitget.com

MULTI_AGENT_SETUP_GUIDE.md:331

🔗

中危外部 URL 外部 URL

https://www.google.com

MULTI_AGENT_TEST_REPORT_2026-03-17.md:189

🔗

中危外部 URL 外部 URL

https://www.investopedia.com/

QUANT_SYSTEM.md:233

🔗

中危外部 URL 外部 URL

https://www.quantconnect.com/

QUANT_SYSTEM.md:234

🔗

中危外部 URL 外部 URL

http://127.0.0.1:7897

README.md:242

🔗

中危外部 URL 外部 URL

https://api.bitget.com$

dynamic-adjust-v2.js:14

🔗

中危外部 URL 外部 URL

https://api.binance.com/api/v3/klines?symbol=$

dynamic-adjust.js:16

🔗

中危外部 URL 外部 URL

https://api.binance.com/api/v3/ticker/price?symbol=$

dynamic-adjust.js:45

目录结构

137 文件 · 662.8 KB · 22340 行

JavaScript 74f · 13942L Markdown 39f · 7314L JSON 21f · 1007L Shell 3f · 77L

├─ ▾ 📁 snapshots

│ └─ 📋 2026-03-07.json JSON 10L · 190 B

├─ 📜 analyze-coins.js JavaScript 145L · 5.7 KB

├─ 📜 analyze-orders.js JavaScript 200L · 7.8 KB

├─ 📜 analyze-strategy.js JavaScript 214L · 7.2 KB

├─ 📜 apply-dynamic-grid.js JavaScript 101L · 3.8 KB

├─ 📜 apply-highfreq.js JavaScript 55L · 2.2 KB

├─ 📜 apply-scheme-a-final.js JavaScript 309L · 11.0 KB

├─ 📜 apply-scheme-a-v2.js JavaScript 281L · 10.2 KB

├─ 📜 apply-scheme-a.js JavaScript 262L · 9.5 KB

├─ 📜 auto-monitor.js JavaScript 290L · 10.2 KB

├─ 📜 bitget-cli.js JavaScript 168L · 4.8 KB

├─ 📜 buy-bnb-limit.js JavaScript 93L · 3.2 KB

├─ 📜 buy-bnb-market.js JavaScript 98L · 3.4 KB

├─ 📜 buy-eth-market.js JavaScript 82L · 2.8 KB

├─ 📜 cancel-all-btc.js JavaScript 135L · 4.8 KB

├─ 📜 cancel-all-orders.js JavaScript 137L · 4.3 KB

├─ 📜 cancel-all.js JavaScript 130L · 4.7 KB

├─ 📜 check-balance.js JavaScript 117L · 3.6 KB

├─ 📜 check-prices.js JavaScript 122L · 5.0 KB

├─ 📝 COIN_ANALYSIS_REPORT.md Markdown 241L · 5.9 KB

├─ 🔑 config.json ⚠ JSON 6L · 190 B

├─ 📋 conservative_deployment_report.json JSON 47L · 1.1 KB

├─ 📜 create-highfreq-config.js JavaScript 93L · 3.8 KB

├─ 📋 cron_config.json JSON 33L · 1.4 KB

├─ 📝 daily_report.md Markdown 31L · 490 B

├─ 📜 debug-orders.js JavaScript 117L · 4.3 KB

├─ 📝 DECISION_SUMMARY_2026-03-17_2236.md Markdown 137L · 3.1 KB

├─ 📜 deploy-bnb-grid.js JavaScript 127L · 4.4 KB

├─ 📜 deploy-bnb-new.js JavaScript 101L · 3.7 KB

├─ 📜 deploy-conservative.js JavaScript 293L · 9.3 KB

├─ 📜 deploy-dynamic-grid.js JavaScript 145L · 4.8 KB

├─ 📜 deploy-eth-buys.js JavaScript 92L · 3.1 KB

├─ 📜 deploy-eth-grid.js JavaScript 134L · 4.9 KB

├─ 📜 deploy-highfreq-grids.js JavaScript 325L · 10.6 KB

├─ 📜 deploy-sell-orders.js JavaScript 162L · 5.2 KB

├─ 📜 deploy-simple-grid.js JavaScript 206L · 6.7 KB

├─ 📜 deploy-ultra-grids-v2.js JavaScript 318L · 10.3 KB

├─ 📜 deploy-ultra-grids.js JavaScript 256L · 7.8 KB

├─ 📝 DEPLOYMENT_REPORT_2026-03-17_2138.md Markdown 197L · 4.2 KB

├─ 📋 dynamic_adjustments.json JSON 8L · 143 B

├─ 📝 DYNAMIC_STRATEGY_REPORT.md Markdown 280L · 6.2 KB

├─ 📜 dynamic-adjust-v2.js JavaScript 326L · 12.1 KB

├─ 📜 dynamic-adjust.js JavaScript 310L · 11.3 KB

├─ 📜 dynamic-rebalance.js JavaScript 295L · 9.3 KB

├─ 📝 ETH_GRID_REPORT.md Markdown 128L · 3.2 KB

├─ 📝 FINAL_DEPLOYMENT_2026-03-17_2220.md Markdown 339L · 7.0 KB

├─ 📝 GRID_DEPLOYMENT_SUCCESS_2026-03-17.md Markdown 137L · 3.5 KB

├─ 📝 GRID_OPTIMIZATION_REPORT_2026-03-17.md Markdown 142L · 3.9 KB

├─ 📝 GRID_OPTIMIZATION_REPORT.md Markdown 278L · 6.1 KB

├─ 📝 GRID_RESTARTED_2026-03-17.md Markdown 118L · 2.6 KB

├─ 📝 GRID_RESTORED_2026-03-17.md Markdown 99L · 2.1 KB

├─ 📋 grid_settings_adjusted.json JSON 58L · 1.7 KB

├─ 📋 grid_settings_conservative.json JSON 58L · 1.5 KB

├─ 📋 grid_settings_highfreq.json JSON 62L · 1.8 KB

├─ 📋 grid_settings_minimal.json JSON 58L · 1.4 KB

├─ 📋 grid_settings_optimized.json JSON 30L · 790 B

├─ 📋 grid_settings_standard.json JSON 58L · 1.4 KB

├─ 📋 grid_settings_ultra.json JSON 58L · 1.5 KB

├─ 📋 grid_settings.json JSON 55L · 1.3 KB

├─ 📝 GRID_STATUS_2026-03-17_2208.md Markdown 219L · 4.1 KB

├─ 📝 GRID_STATUS_REPORT.md Markdown 172L · 4.1 KB

├─ 📝 GRID_STOPPED_2026-03-17.md Markdown 84L · 1.9 KB

├─ 📜 grid-optimizer.js JavaScript 267L · 10.3 KB

├─ 📋 highfreq_deployment_report.json JSON 39L · 1.1 KB

├─ 📝 HIGHFREQ_SETUP_COMPLETE.md Markdown 189L · 4.3 KB

├─ 📜 kline-analyzer.js JavaScript 235L · 9.3 KB

├─ 📝 MANUAL_SETUP.md Markdown 159L · 3.0 KB

├─ 📋 monitor_state.json JSON 116L · 2.9 KB

├─ 🔧 monitor-cron.sh Shell 18L · 529 B

├─ 📜 monitor-fixed.js JavaScript 191L · 5.8 KB

├─ 📜 monitor-grid.js JavaScript 195L · 6.0 KB

├─ 🔧 monitor-wrapper.sh Shell 26L · 632 B

├─ 📋 multi_agent_config.json JSON 126L · 3.2 KB

├─ 📜 multi_agent_controller.js JavaScript 452L · 14.8 KB

├─ 📝 MULTI_AGENT_SETUP_GUIDE.md Markdown 369L · 7.5 KB

├─ 📝 MULTI_AGENT_TEST_REPORT_2026-03-17.md Markdown 318L · 7.0 KB

├─ 📝 multi_coin_analysis.md Markdown 118L · 2.9 KB

├─ 📝 NEW_COINS_ANALYSIS.md Markdown 137L · 3.0 KB

├─ 📝 OPTIMIZATION_REPORT.md Markdown 235L · 4.9 KB

├─ 📜 optimize-grids.js JavaScript 247L · 7.9 KB

├─ 📜 optimize-strategy.js JavaScript 178L · 6.7 KB

├─ 📝 QUANT_STRATEGY.md Markdown 252L · 5.4 KB

├─ 📝 QUANT_SYSTEM.md Markdown 243L · 5.0 KB

├─ 📜 quant-trader.js JavaScript 321L · 11.2 KB

├─ 📜 quick-report.js JavaScript 127L · 4.6 KB

├─ 📜 quick-start.js JavaScript 174L · 4.6 KB

├─ 📝 README.md Markdown 301L · 6.3 KB

├─ 📜 rebalance.js JavaScript 179L · 6.8 KB

├─ 📝 REDEPLOY_COMPLETE.md Markdown 157L · 4.0 KB

├─ 📝 REDEPLOY_REPORT_2026-03-17_2158.md Markdown 223L · 4.9 KB

├─ 📜 redeploy-coins.js JavaScript 292L · 9.4 KB

├─ 📜 restart-final.js JavaScript 261L · 8.4 KB

├─ 📜 restart-grids-fixed.js JavaScript 254L · 8.1 KB

├─ 📜 restart-grids.js JavaScript 191L · 6.1 KB

├─ 📝 RUNNING_STATUS.md Markdown 92L · 1.9 KB

├─ 📜 save-optimized-config.js JavaScript 55L · 1.4 KB

├─ 📝 SCHEME_A_MANUAL.md Markdown 180L · 3.9 KB

├─ 📋 scheme_a_result.json JSON 21L · 310 B

├─ 📜 sell-btc-market.js JavaScript 165L · 5.7 KB

├─ 📜 setup-cron-monitor.js JavaScript 90L · 3.4 KB

├─ 📜 setup-cron.js JavaScript 104L · 2.8 KB

├─ 📝 SKILL.md Markdown 277L · 6.9 KB

├─ 📋 smart_grid_state.json JSON 61L · 1.6 KB

├─ 📜 smart-grid.js JavaScript 625L · 20.9 KB

├─ 📜 start-avax-matic.js JavaScript 257L · 8.0 KB

├─ 📜 start-btc-grid.js JavaScript 246L · 7.6 KB

├─ 📜 start-eth-simple.js JavaScript 106L · 3.9 KB

├─ 📜 start-eth-v2.js JavaScript 106L · 3.9 KB

├─ 📜 start-eth-v3.js JavaScript 103L · 3.9 KB

├─ 📜 start-eth-v4.js JavaScript 103L · 3.9 KB

├─ 📜 start-eth-v5.js JavaScript 91L · 3.4 KB

├─ 📜 start-eth-xrp.js JavaScript 183L · 5.6 KB

├─ 📜 start-eth.js JavaScript 184L · 6.1 KB

├─ 📜 start-grids.js JavaScript 190L · 6.1 KB

├─ 📜 start-simple.js JavaScript 257L · 8.0 KB

├─ 📜 start-sol.js JavaScript 153L · 5.0 KB

├─ 📝 STARTUP_REPORT.md Markdown 60L · 1.2 KB

├─ 📝 STATUS_REPORT.md Markdown 159L · 3.5 KB

├─ 📝 STATUS_SUMMARY_2026-03-17_2230.md Markdown 243L · 4.7 KB

├─ 📋 status.json JSON 20L · 505 B

├─ 📜 stop-btc-grid.js JavaScript 125L · 4.2 KB

├─ 📝 strategy_report.md Markdown 229L · 5.1 KB

├─ 📝 STRATEGY_SUMMARY.md Markdown 148L · 3.2 KB

├─ 📋 strategy-summary.json JSON 36L · 758 B

├─ 🔧 test_multi_agent.sh Shell 33L · 913 B

├─ 📜 test-api-debug.js JavaScript 119L · 3.7 KB

├─ 📜 test-eth-grid.js JavaScript 147L · 5.0 KB

├─ 📜 test-grid-api.js JavaScript 127L · 4.1 KB

├─ 📜 test-klines.js JavaScript 51L · 1.6 KB

├─ 📜 test-order.js JavaScript 120L · 3.7 KB

├─ 📜 trade-analyzer.js JavaScript 308L · 10.6 KB

├─ 📝 TRADING_DECISION_2026-03-17_2235.md Markdown 228L · 5.7 KB

├─ 📝 trading_setup.md Markdown 176L · 4.1 KB

├─ 📋 ultra_deployment_report.json JSON 47L · 1.2 KB

├─ 📝 UNLIMITED_MODE.md Markdown 73L · 2.0 KB

├─ 📜 use-sdk.js JavaScript 124L · 3.9 KB

└─ 📝 启动报告_2026-03-10.md Markdown 146L · 3.3 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`https-proxy-agent`	`unknown`	implicit	否	Referenced in code but not in declared dependencies
`Node.js built-ins`	`N/A`	stdlib	否	fs, crypto, path, https, http, child_process

安全亮点

✓ All network requests go to legitimate Bitget API (api.bitget.com)

✓ No base64-encoded malicious code or obfuscation detected

✓ No remote code execution via curl|bash patterns

✓ No credential exfiltration to external servers

✓ Proper HMAC-SHA256 API signing implemented correctly

✓ No hidden backdoor functionality discovered

✓ No evidence of C2 communication or data theft

✓ No sensitive file access (.ssh, .aws, .env) beyond documented config paths