中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 10/100
Last scan:2 days ago Rescan
10 /100
sports-betting
Place and claim decentralized sports bets on-chain via Pinwin and Azuro on Polygon
This is a legitimate sports betting skill for Azuro/Pinwin on Polygon. The flagged base64 decoding is standard EIP-712 payload handling, fully documented in SKILL.md, and presents no security risk.
Skill Namesports-betting
Duration57.3s
Enginepi
Safe to install
Approve for use. The skill properly handles private keys (local signing only), shows full payloads before signing, and requires explicit user confirmation for all on-chain actions.

Findings 3 items

Severity Finding Location
Low
Base64-encoded EIP-712 payloads (false positive)
The pre-scan flagged Buffer.from(body.encoded, 'base64') as critical IOC (code obfuscation). This is standard EIP-712 encoding used by DeFi protocols. The Pinwin API returns {encoded: '<base64>'} containing JSON-signed bet/claim payloads. The code: (1) decodes and displays the full payload to the user, (2) verifies contract addresses, (3) requires explicit confirmation, then (4) signs locally with viem. No arbitrary code execution occurs.
const payload = JSON.parse(Buffer.from(betRes.encoded, 'base64').toString('utf8'))
→ No action needed. This is documented in SKILL.md Step 3-4 with full user-facing transparency.
 scripts/place-bet.js:188
Low
Child process spawn for background watcher
place-bet.js uses child_process.spawn with process.execPath to launch watch-bets.js as a detached background process after bet confirmation. This is limited to a bundled sibling script with no shell execution or external downloads.
const watcher = spawn(process.execPath, watchArgs, { detached: true, stdio: ['ignore', 'pipe', 'pipe'] })
→ Documented in SKILL.md under 'Watch result'. Acceptable for this use case.
 scripts/place-bet.js:358
Info
Multiple external API endpoints
The skill calls external APIs: api.onchainfeed.org (Azuro data), api.pinwin.xyz (Pinwin bet/claim), polygon-bor-rpc.publicnode.com (RPC). All endpoints are documented in SKILL.md with specific paths.
data-feed URL: https://api.onchainfeed.org/api/v1/public/market-manager/
→ No action needed. These are legitimate DeFi protocol endpoints.
 SKILL.md:53
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned Node.js scripts read config; package.json declared
Network READ READ ✓ Aligned Queries Azuro subgraph (read-only GraphQL), Pinwin API
Shell WRITE WRITE ✓ Aligned Node.js scripts executed via documented commands
Environment WRITE WRITE ✓ Aligned Reads BETTOR_PRIVATE_KEY for local EIP-712 signing only
Skill Invoke WRITE WRITE ✓ Aligned disable-model-invocation: true in _meta.json
2 Critical 21 findings
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(body.encoded, 'base64'
scripts/claim-bets.js:92
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(betRes.encoded, 'base64'
scripts/place-bet.js:188
🔗
Medium External URL 外部 URL
https://pinwin.xyz
README.md:3
🔗
Medium External URL 外部 URL
https://docs.openclaw.ai
README.md:3
💰
Medium Wallet Address 加密货币钱包地址
0xc2132D05D31c914a87C6611C10748AEb04B58e8F
SKILL.md:48
💰
Medium Wallet Address 加密货币钱包地址
0x8dA05c0021e6b35865FDC959c54dCeF3A4AbBa9d
SKILL.md:49
💰
Medium Wallet Address 加密货币钱包地址
0xF9548Be470A4e130c90ceA8b179FCD66D2972AC7
SKILL.md:50
💰
Medium Wallet Address 加密货币钱包地址
0x0FA7FB5407eA971694652E6E16C12A52625DE1b8
SKILL.md:51
🔗
Medium External URL 外部 URL
https://api.onchainfeed.org/api/v1/public/market-manager/
SKILL.md:53
🔗
Medium External URL 外部 URL
https://thegraph.onchainfeed.org/subgraphs/name/azuro-protocol/azuro-api-polygon-v3
SKILL.md:54
🔗
Medium External URL 外部 URL
https://api.pinwin.xyz
SKILL.md:55
🔗
Medium External URL 外部 URL
https://polygonscan.com/tx/
SKILL.md:56
🔗
Medium External URL 外部 URL
https://polygon-bor-rpc.publicnode.com
SKILL.md:57
🔗
Medium External URL 外部 URL
https://api.onchainfeed.org/api/v1/public/market-manager/conditions-by-game-ids
SKILL.md:296
🔗
Medium External URL 外部 URL
https://api.pinwin.xyz/agent/bet
SKILL.md:305
💰
Medium Wallet Address 加密货币钱包地址
0xf9548be470a4e130c90cea8b179fcd66d2972ac7
SKILL.md:368
🔗
Medium External URL 外部 URL
https://api.onchainfeed.org/v1/bet/orders/ordinar
SKILL.md:410
🔗
Medium External URL 外部 URL
https://api.onchainfeed.org/v1
SKILL.md:410
🔗
Medium External URL 外部 URL
https://api.pinwin.xyz/agent/claim
SKILL.md:512
💰
Medium Wallet Address 加密货币钱包地址
0x0fa7fb5407ea971694652e6e16c12a52625de1b8
SKILL.md:526
🔗
Medium External URL 外部 URL
https://polygonscan.com/tx/$
scripts/claim-bets.js:123

File Tree

9 files · 76.5 KB · 1674 lines
JavaScript 4f · 1044L Markdown 2f · 589L JSON 3f · 41L
├─ 📁 scripts
│ ├─ 📜 claim-bets.js JavaScript 191L · 8.1 KB
│ ├─ 📜 get-games.js JavaScript 233L · 11.9 KB
│ ├─ 📋 package-lock.json JSON 33L · 1002 B
│ ├─ 📋 package.json JSON 7L · 116 B
│ ├─ 📜 place-bet.js JavaScript 401L · 19.3 KB
│ └─ 📜 watch-bets.js JavaScript 219L · 8.6 KB
├─ 📋 _meta.json JSON 1L · 257 B
├─ 📝 README.md Markdown 7L · 899 B
└─ 📝 SKILL.md Markdown 582L · 26.5 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
viem latest npm No Well-audited Ethereum library
@azuro-org/dictionaries latest npm No Official Azuro package for market resolution

Security Positives

✓ Private key never leaves the local process — used only for EIP-712 signing via viem
✓ Full decoded payload shown to user before any signing occurs
✓ Contract address verification after base64 decode (clientCore and claimContract checks)
✓ Interactive confirmation gates prevent unauthorized transactions (requires 'yes' input)
✓ disable-model-invocation: true prevents accidental autonomous execution
✓ No shell command injection vectors detected
✓ No credential exfiltration — BETTOR_PRIVATE_KEY used solely for local signing
✓ No external script downloads (curl|bash, wget|sh patterns absent)
✓ Clear safety rules documented in SKILL.md with explicit confirmation requirements
✓ Proper error handling with user-facing messages