中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:19 hr ago Rescan
20 /100
crypto-portfolio-tracker
Real-time cryptocurrency portfolio tracking and analysis
The skill implements a basic crypto portfolio tracker with legitimate CoinGecko API calls, but has documentation mismatches (unimplemented Binance/exchange integration, missing generate_report.js script). No malicious behavior detected.
Skill Namecrypto-portfolio-tracker
Duration45.4s
Enginepi
Safe to install
Remove unverifiable claims from SKILL.md about Binance API integration and blockchain explorer wallet tracking. Add the missing generate_report.js script or remove it from documentation.

Findings 3 items

Severity Finding Location
Low
Undocumented feature gaps in SKILL.md Doc Mismatch
SKILL.md claims Binance/Coinbase API integration and blockchain explorer wallet tracking, but the actual implementation only uses hardcoded portfolio values with the CoinGecko API. No real exchange or wallet integration exists in the code.
Multi-platform portfolio aggregation (Binance, Coinbase, wallets)
→ Update SKILL.md to accurately reflect implemented features: 'Fetches real-time crypto prices using CoinGecko API with hardcoded sample portfolio'
 SKILL.md:1
Low
Referenced script does not exist Doc Mismatch
SKILL.md documents a 'Generate Report' feature that calls scripts/generate_report.js, but this file does not exist in the codebase.
node scripts/generate_report.js --period 7d
→ Either implement scripts/generate_report.js or remove the Generate Report feature from documentation
 SKILL.md:28
Info
Sensitive configuration template with placeholder fields Sensitive Access
references/config.json contains empty placeholder fields for API keys, bot tokens, and SMTP credentials. While currently empty, these fields suggest future credential storage capabilities.
"apiKey": "", "apiSecret": "", "botToken": "", "smtp": ""
→ Ensure credentials are never stored in plaintext. If implementing exchange integration, use secure credential management instead of JSON file storage.
 references/config.json:1
ResourceDeclaredInferredStatusEvidence
Filesystem READ WRITE ✓ Aligned set_alert.js writes to references/alerts.json for alert persistence, which is a …
Network READ READ ✓ Aligned track_portfolio.js makes HTTPS requests only to api.coingecko.com, a legitimate …
Shell NONE NONE No subprocess or shell execution found in the codebase
Environment NONE NONE No access to process.env or environment variables
Skill Invoke NONE NONE No skill invocation capabilities detected
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Database NONE NONE No database access
1 findings
🔗
Medium External URL 外部 URL
https://api.coingecko.com/api/v3
scripts/track_portfolio.js:11

File Tree

4 files · 6.1 KB · 241 lines
JavaScript 2f · 142L Markdown 1f · 65L JSON 1f · 34L
├─ 📁 references
│ └─ 🔑 config.json JSON 34L · 533 B
├─ 📁 scripts
│ ├─ 📜 set_alert.js JavaScript 58L · 1.4 KB
│ └─ 📜 track_portfolio.js JavaScript 84L · 2.4 KB
└─ 📝 SKILL.md Markdown 65L · 1.7 KB

Security Positives

✓ No credential theft or harvesting detected - all API key fields in config.json are empty/disabled
✓ No shell command injection or subprocess execution
✓ No data exfiltration to external servers beyond legitimate CoinGecko API calls
✓ No obfuscation techniques (base64, eval, atob) detected
✓ No sensitive file access (no ~/.ssh, ~/.aws, .env reads)
✓ No persistence mechanisms (no cron, startup hooks, or backdoor installation)
✓ No reverse shell or C2 communication patterns
✓ Code is clean and straightforward with no hidden functionality