Skill Trust Decision
odds-movement-monitor
硬编码API密钥暴露敏感凭证,且存在SKILL.md未声明的支付功能(payment.py中的shadow billing),但整体代码功能与体育赔率监控描述一致,无RCE或数据外泄证据。
Most direct threat evidence
High Credential Theft
硬编码API密钥暴露 payment.py第12行包含明文API密钥'BILLING_API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"'。这是SkillPay的计费密钥,属于敏感凭证,不应硬编码在代码中。
payment.py:12 Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
1 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
1 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 1 severe findings.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
What drove the risk score up
硬编码API密钥暴露 +20
payment.py:12 硬编码BILLING_API_KEY='sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2'
未声明的支付功能(阴影功能) +15
SKILL.md未提及payment.py和SkillPay计费,但代码中存在完整的billing集成
文档-行为差异 +10
SKILL.md声明的能力与实际代码功能基本一致,但缺少支付模块的声明
Most important evidence
High Credential Theft
硬编码API密钥暴露
payment.py第12行包含明文API密钥'BILLING_API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"'。这是SkillPay的计费密钥,属于敏感凭证,不应硬编码在代码中。
payment.py:12 使用环境变量 os.environ.get('SKILLPAY_API_KEY') 替代硬编码;密钥应通过安全渠道(如密钥管理服务)注入。
Medium Doc Mismatch
未声明的支付功能(阴影功能)
SKILL.md完全未提及payment.py和SkillPay计费集成,但代码中存在完整的计费验证、扣费、充值链接生成功能。这是典型的阴影功能,用户无法从文档了解实际行为。
SKILL.md:1 在SKILL.md中明确声明:1) 使用SkillPay进行计费;2) 每次调用费用;3) 需要的API Key环境变量。
Low Priv Escalation
本地数据库写入权限未声明
SKILL.md未声明skill会创建和写入本地SQLite数据库(odds_data.db),属于超出声明范围的文件系统操作。
monitor.py:36 在文档中声明数据持久化行为,说明存储位置和数据保留策略。
Declared capability vs actual capability
Filesystem Block
Declared READ
→ Inferred WRITE
monitor.py:36-50 创建SQLite数据库odds_data.db Network Pass
Declared READ
→ Inferred READ
monitor.py:130-150 使用aiohttp请求the-odds-api.com Shell Pass
Declared NONE
→ Inferred NONE
无subprocess调用 Suspicious artifacts and egress
High API Key
API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2" payment.py:12
Medium External URL
https://api.the-odds-api.com/v4 config.json:15
Medium External URL
https://the-odds-api.com/ monitor.py:527
Medium External URL
https://skillpay.me payment.py:11
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| aiohttp | >=3.8.0 | pip | No | 有版本下限,无上限锁定 |
| requests | >=2.28.0 | pip | No | 有版本下限,无上限锁定 |
File composition
10 files · 1699 lines
Python 5 files · 1432 linesMarkdown 2 files · 194 linesJSON 2 files · 71 linesText 1 files · 2 lines
Files of concern · 4
config.json https://api.the-odds-api.com/v4
monitor.py 本地数据库写入权限未声明 · https://the-odds-api.com/
payment.py 硬编码API密钥暴露 · API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2" · https://skillpay.me
SKILL.md 未声明的支付功能(阴影功能)
Other files · change_detector.py · demo.py · README.md · __init__.py · _meta.json · requirements.txt
Security positives
代码逻辑清晰,主要功能(赔率监控、变化检测)与SKILL.md描述基本一致
无反分析或混淆代码
无网络到外部恶意IP的直连(仅连接the-odds-api.com和skillpay.me)
无凭证外泄代码(POST请求仅用于正常计费验证)
无RCE、反向shell或数据窃取行为