中文 EN

Scan Report

Scan New Files

High Risk — Risk Score 58/100
Last scan:2 days ago Rescan
58 /100
income-lab
收入实验与执行系统 - A system for tracking income experiments and money-making methods
Hardcoded API key found in payment.py poses critical credential exposure risk. The skill implements legitimate billing integration but fails to follow secure credential management practices.
Skill Nameincome-lab
Duration40.5s
Enginepi
Do not install this skill
Remove hardcoded API key from source code and use environment variable SKILLPAY_API_KEY instead. The key is already referenced in _meta.json for environment variable lookup but not actually used.

Findings 4 items

Severity Finding Location
Critical
Hardcoded API Key Exposed in Source Code
A valid API key 'sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2' is hardcoded as plaintext in payment.py:12. This key grants access to the SkillPay billing API and could be extracted by anyone with read access to the repository.
BILLING_API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"
→ Replace hardcoded key with os.environ.get('SKILLPAY_API_KEY', '') and provide the actual key via environment variable at runtime.
 payment.py:12
High
Inconsistent Credential Management
The _meta.json declares SKILLPAY_API_KEY and SKILLPAY_USER_ID as required environment variables, but the code ignores these and uses a hardcoded value. This creates confusion and bypasses intended credential management.
SKILL_ID = "5706cbf7-c6f7-431c-99b0-752f05736f7b"
→ Make payment.py read BILLING_API_KEY from environment variable as intended by the metadata configuration.
 payment.py:16
Medium
No Version Pinning in Dependencies
requirements.txt specifies dependencies without version constraints (pandas>=2.0.0, numpy>=1.24.0, etc.). This allows potentially vulnerable versions to be installed.
pandas>=2.0.0
→ Pin exact versions of all dependencies to ensure reproducible builds and prevent supply chain attacks.
 requirements.txt:1
Low
Data Directory in User Home
Scripts store experiment data in ~/.income-lab directory. While declared in documentation, this creates files outside a sandboxed scope.
DATA_DIR = os.path.expanduser("~/.income-lab")
→ Consider using a more sandboxed location like XDG_DATA_HOME or a project-local directory.
 scripts/experiment_tracker.py:19
ResourceDeclaredInferredStatusEvidence
Filesystem READ,WRITE READ,WRITE ✓ Aligned SKILL.md declares experiment_tracker.py; ~/.income-lab usage confirmed in script…
Network READ READ ✓ Aligned SKILL.md mentions billing system; payment.py makes requests to skillpay.me
Shell NONE NONE No subprocess or os.system calls in any script
Environment READ READ ✓ Aligned payment.py reads SKILLPAY_USER_ID from os.environ
Skill Invoke NONE NONE No skill invocation patterns found
1 High 2 findings
🔑
High API Key 疑似硬编码凭证
API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"
payment.py:12
🔗
Medium External URL 外部 URL
https://skillpay.me
payment.py:11

File Tree

8 files · 38.7 KB · 1286 lines
Markdown 3f · 632L Python 3f · 626L JSON 1f · 19L Text 1f · 9L
├─ 📁 references
│ ├─ 📝 income-methods.md Markdown 169L · 5.3 KB
│ └─ 📝 retrospective-framework.md Markdown 213L · 3.7 KB
├─ 📁 scripts
│ ├─ 🐍 experiment_tracker.py Python 287L · 10.7 KB
│ └─ 🐍 weekly_reporter.py Python 197L · 7.3 KB
├─ 📋 _meta.json JSON 19L · 431 B
├─ 🐍 payment.py Python 142L · 5.2 KB
├─ 📄 requirements.txt Text 9L · 133 B
└─ 📝 SKILL.md Markdown 250L · 6.0 KB

Dependencies 4 items

PackageVersionSourceKnown VulnsNotes
pandas >=2.0.0 pip No Version not pinned
numpy >=1.24.0 pip No Version not pinned
matplotlib >=3.7.0 pip No Version not pinned
python-dateutil >=2.8.0 pip No Version not pinned

Security Positives

✓ No shell execution vulnerabilities - no subprocess, os.system, or eval calls found
✓ No credential exfiltration - network requests only go to documented billing endpoint
✓ No suspicious base64 encoding or obfuscation
✓ No access to sensitive system paths like ~/.ssh, ~/.aws, or .env files
✓ No hidden functionality in HTML comments or other stealth channels
✓ No curl|bash or wget|sh remote script execution patterns
✓ Legitimate billing integration properly documented in SKILL.md
✓ Experiment tracking functionality matches declared capabilities