中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
passive-income-claw
Binance passive income AI assistant - automatically scans earn opportunities, pushes matches based on user preferences, executes subscriptions within authorized limits
This is a legitimate Binance passive income management skill with no malicious behavior. All operations are properly documented, credentials are used only for Binance API, and file operations are scoped to the skill's data directory.
Skill Namepassive-income-claw
Duration47.6s
Enginepi
Safe to install
This skill is safe to use. The flagged 'rm -rf' at README.md:119 is the documented uninstall cleanup command targeting only ~/passive-income-claw/ (the skill's own data directory), not the entire home directory.
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned SKILL.md declares read/write to ~/passive-income-claw/ for profile, snapshot, lo…
Network READ READ ✓ Aligned lib.ts:BASE_URL = https://api.binance.com - all API calls to official Binance en…
Shell NONE NONE No subprocess/popen calls; uses node {baseDir}/bin/*.ts pattern
Environment READ READ ✓ Aligned lib.ts:18-19 reads BINANCE_API_KEY and BINANCE_API_SECRET
Skill Invoke NONE NONE No skill invocation detected
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser access
Database NONE NONE No database access
1 Critical 3 findings
💀
Critical Dangerous Command 危险 Shell 命令
rm -rf ~
README.md:119
🔗
Medium External URL 外部 URL
https://www.binance.com/en/my/settings/api-management
README.md:13
🔗
Medium External URL 外部 URL
https://api.binance.com
bin/lib.ts:8

File Tree

15 files · 54.2 KB · 1612 lines
Markdown 8f · 840L TypeScript 7f · 772L
├─ 📁 bin
│ ├─ 📜 auth-check.ts TypeScript 17L · 679 B
│ ├─ 📜 earn-api.ts TypeScript 87L · 3.4 KB
│ ├─ 📜 lib.ts TypeScript 365L · 11.8 KB
│ ├─ 📜 log.ts TypeScript 90L · 3.2 KB
│ ├─ 📜 margin-api.ts TypeScript 92L · 3.4 KB
│ ├─ 📜 profile.ts TypeScript 54L · 1.6 KB
│ └─ 📜 snapshot.ts TypeScript 67L · 2.4 KB
├─ 📁 binance-earn
│ └─ 📝 SKILL.md Markdown 54L · 2.3 KB
├─ 📝 execute.md Markdown 187L · 6.2 KB
├─ 📝 memory-template.md Markdown 21L · 900 B
├─ 📝 path-analysis.md Markdown 145L · 4.9 KB
├─ 📝 README.md Markdown 120L · 3.2 KB
├─ 📝 scan.md Markdown 143L · 4.4 KB
├─ 📝 setup.md Markdown 105L · 3.0 KB
└─ 📝 SKILL.md Markdown 65L · 2.8 KB

Security Positives

✓ Uses only Node.js standard library modules (node:crypto, node:fs, node:path, node:os) - no external dependencies
✓ Comprehensive 5-step authorization system with hard limits (single/daily limits, operation whitelist, asset whitelist)
✓ All API calls go to official Binance endpoint (https://api.binance.com)
✓ Credentials used only for API authentication, never exfiltrated
✓ File operations strictly scoped to ~/passive-income-claw/ user data directory
✓ Well-structured TypeScript with clear separation of concerns
✓ Safety mechanisms: margin level checks (>2.0), net yield validation (>2%), rollback on partial failures
✓ No obfuscation, base64 encoding, or suspicious patterns
✓ Documentation accurately reflects implementation - no doc-to-code mismatch
✓ Rollback mechanism prevents orphaned debt on borrow-to-earn failures