passive-income-claw 安全扫描报告 — 可信 | ClawSafe

5 /100

passive-income-claw

Binance passive income AI assistant - automatically scans earn opportunities, pushes matches based on user preferences, executes subscriptions within authorized limits

This is a legitimate Binance passive income management skill with no malicious behavior. All operations are properly documented, credentials are used only for Binance API, and file operations are scoped to the skill's data directory.

技能名称passive-income-claw

分析耗时47.6s

引擎pi

✓

可以安装

This skill is safe to use. The flagged 'rm -rf' at README.md:119 is the documented uninstall cleanup command targeting only ~/passive-income-claw/ (the skill's own data directory), not the entire home directory.

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md declares read/write to ~/passive-income-claw/ for profile, snapshot, lo…
网络访问	`READ`	`READ`	✓ 一致	lib.ts:BASE_URL = https://api.binance.com - all API calls to official Binance en…
命令执行	`NONE`	`NONE`	—	No subprocess/popen calls; uses node {baseDir}/bin/*.ts pattern
环境变量	`READ`	`READ`	✓ 一致	lib.ts:18-19 reads BINANCE_API_KEY and BINANCE_API_SECRET
技能调用	`NONE`	`NONE`	—	No skill invocation detected
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser access
数据库	`NONE`	`NONE`	—	No database access

1 严重 3 项发现

💀

严重危险命令危险 Shell 命令

rm -rf ~

README.md:119

🔗

中危外部 URL 外部 URL

https://www.binance.com/en/my/settings/api-management

README.md:13

🔗

中危外部 URL 外部 URL

https://api.binance.com

bin/lib.ts:8

目录结构

15 文件 · 54.2 KB · 1612 行

Markdown 8f · 840L TypeScript 7f · 772L

├─ ▾ 📁 bin

│ ├─ 📜 auth-check.ts TypeScript 17L · 679 B

│ ├─ 📜 earn-api.ts TypeScript 87L · 3.4 KB

│ ├─ 📜 lib.ts TypeScript 365L · 11.8 KB

│ ├─ 📜 log.ts TypeScript 90L · 3.2 KB

│ ├─ 📜 margin-api.ts TypeScript 92L · 3.4 KB

│ ├─ 📜 profile.ts TypeScript 54L · 1.6 KB

│ └─ 📜 snapshot.ts TypeScript 67L · 2.4 KB

├─ ▾ 📁 binance-earn

│ └─ 📝 SKILL.md Markdown 54L · 2.3 KB

├─ 📝 execute.md Markdown 187L · 6.2 KB

├─ 📝 memory-template.md Markdown 21L · 900 B

├─ 📝 path-analysis.md Markdown 145L · 4.9 KB

├─ 📝 README.md Markdown 120L · 3.2 KB

├─ 📝 scan.md Markdown 143L · 4.4 KB

├─ 📝 setup.md Markdown 105L · 3.0 KB

└─ 📝 SKILL.md Markdown 65L · 2.8 KB

安全亮点

✓ Uses only Node.js standard library modules (node:crypto, node:fs, node:path, node:os) - no external dependencies

✓ Comprehensive 5-step authorization system with hard limits (single/daily limits, operation whitelist, asset whitelist)

✓ All API calls go to official Binance endpoint (https://api.binance.com)

✓ Credentials used only for API authentication, never exfiltrated

✓ File operations strictly scoped to ~/passive-income-claw/ user data directory

✓ Well-structured TypeScript with clear separation of concerns

✓ Safety mechanisms: margin level checks (>2.0), net yield validation (>2%), rollback on partial failures

✓ No obfuscation, base64 encoding, or suspicious patterns

✓ Documentation accurately reflects implementation - no doc-to-code mismatch

✓ Rollback mechanism prevents orphaned debt on borrow-to-earn failures