中文 EN

扫描报告

扫描新文件

高风险 — 风险评分 58/100
上次扫描:2 天前 重新扫描
58 /100
income-lab
收入实验与执行系统 - A system for tracking income experiments and money-making methods
Hardcoded API key found in payment.py poses critical credential exposure risk. The skill implements legitimate billing integration but fails to follow secure credential management practices.
技能名称income-lab
分析耗时40.5s
引擎pi
不要安装此技能
Remove hardcoded API key from source code and use environment variable SKILLPAY_API_KEY instead. The key is already referenced in _meta.json for environment variable lookup but not actually used.

安全发现 4 项

严重性 安全发现 位置
严重
Hardcoded API Key Exposed in Source Code
A valid API key 'sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2' is hardcoded as plaintext in payment.py:12. This key grants access to the SkillPay billing API and could be extracted by anyone with read access to the repository.
BILLING_API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"
→ Replace hardcoded key with os.environ.get('SKILLPAY_API_KEY', '') and provide the actual key via environment variable at runtime.
 payment.py:12
高危
Inconsistent Credential Management
The _meta.json declares SKILLPAY_API_KEY and SKILLPAY_USER_ID as required environment variables, but the code ignores these and uses a hardcoded value. This creates confusion and bypasses intended credential management.
SKILL_ID = "5706cbf7-c6f7-431c-99b0-752f05736f7b"
→ Make payment.py read BILLING_API_KEY from environment variable as intended by the metadata configuration.
 payment.py:16
中危
No Version Pinning in Dependencies
requirements.txt specifies dependencies without version constraints (pandas>=2.0.0, numpy>=1.24.0, etc.). This allows potentially vulnerable versions to be installed.
pandas>=2.0.0
→ Pin exact versions of all dependencies to ensure reproducible builds and prevent supply chain attacks.
 requirements.txt:1
低危
Data Directory in User Home
Scripts store experiment data in ~/.income-lab directory. While declared in documentation, this creates files outside a sandboxed scope.
DATA_DIR = os.path.expanduser("~/.income-lab")
→ Consider using a more sandboxed location like XDG_DATA_HOME or a project-local directory.
 scripts/experiment_tracker.py:19
资源类型声明权限推断权限状态证据
文件系统 READ,WRITE READ,WRITE ✓ 一致 SKILL.md declares experiment_tracker.py; ~/.income-lab usage confirmed in script…
网络访问 READ READ ✓ 一致 SKILL.md mentions billing system; payment.py makes requests to skillpay.me
命令执行 NONE NONE No subprocess or os.system calls in any script
环境变量 READ READ ✓ 一致 payment.py reads SKILLPAY_USER_ID from os.environ
技能调用 NONE NONE No skill invocation patterns found
1 高危 2 项发现
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"
payment.py:12
🔗
中危 外部 URL 外部 URL
https://skillpay.me
payment.py:11

目录结构

8 文件 · 38.7 KB · 1286 行
Markdown 3f · 632L Python 3f · 626L JSON 1f · 19L Text 1f · 9L
├─ 📁 references
│ ├─ 📝 income-methods.md Markdown 169L · 5.3 KB
│ └─ 📝 retrospective-framework.md Markdown 213L · 3.7 KB
├─ 📁 scripts
│ ├─ 🐍 experiment_tracker.py Python 287L · 10.7 KB
│ └─ 🐍 weekly_reporter.py Python 197L · 7.3 KB
├─ 📋 _meta.json JSON 19L · 431 B
├─ 🐍 payment.py Python 142L · 5.2 KB
├─ 📄 requirements.txt Text 9L · 133 B
└─ 📝 SKILL.md Markdown 250L · 6.0 KB

依赖分析 4 项

包名版本来源已知漏洞备注
pandas >=2.0.0 pip Version not pinned
numpy >=1.24.0 pip Version not pinned
matplotlib >=3.7.0 pip Version not pinned
python-dateutil >=2.8.0 pip Version not pinned

安全亮点

✓ No shell execution vulnerabilities - no subprocess, os.system, or eval calls found
✓ No credential exfiltration - network requests only go to documented billing endpoint
✓ No suspicious base64 encoding or obfuscation
✓ No access to sensitive system paths like ~/.ssh, ~/.aws, or .env files
✓ No hidden functionality in HTML comments or other stealth channels
✓ No curl|bash or wget|sh remote script execution patterns
✓ Legitimate billing integration properly documented in SKILL.md
✓ Experiment tracking functionality matches declared capabilities