中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:21 小时前 重新扫描
20 /100
crypto-portfolio-tracker
Real-time cryptocurrency portfolio tracking and analysis
The skill implements a basic crypto portfolio tracker with legitimate CoinGecko API calls, but has documentation mismatches (unimplemented Binance/exchange integration, missing generate_report.js script). No malicious behavior detected.
技能名称crypto-portfolio-tracker
分析耗时45.4s
引擎pi
可以安装
Remove unverifiable claims from SKILL.md about Binance API integration and blockchain explorer wallet tracking. Add the missing generate_report.js script or remove it from documentation.

安全发现 3 项

严重性 安全发现 位置
低危
Undocumented feature gaps in SKILL.md 文档欺骗
SKILL.md claims Binance/Coinbase API integration and blockchain explorer wallet tracking, but the actual implementation only uses hardcoded portfolio values with the CoinGecko API. No real exchange or wallet integration exists in the code.
Multi-platform portfolio aggregation (Binance, Coinbase, wallets)
→ Update SKILL.md to accurately reflect implemented features: 'Fetches real-time crypto prices using CoinGecko API with hardcoded sample portfolio'
 SKILL.md:1
低危
Referenced script does not exist 文档欺骗
SKILL.md documents a 'Generate Report' feature that calls scripts/generate_report.js, but this file does not exist in the codebase.
node scripts/generate_report.js --period 7d
→ Either implement scripts/generate_report.js or remove the Generate Report feature from documentation
 SKILL.md:28
提示
Sensitive configuration template with placeholder fields 敏感访问
references/config.json contains empty placeholder fields for API keys, bot tokens, and SMTP credentials. While currently empty, these fields suggest future credential storage capabilities.
"apiKey": "", "apiSecret": "", "botToken": "", "smtp": ""
→ Ensure credentials are never stored in plaintext. If implementing exchange integration, use secure credential management instead of JSON file storage.
 references/config.json:1
资源类型声明权限推断权限状态证据
文件系统 READ WRITE ✓ 一致 set_alert.js writes to references/alerts.json for alert persistence, which is a …
网络访问 READ READ ✓ 一致 track_portfolio.js makes HTTPS requests only to api.coingecko.com, a legitimate …
命令执行 NONE NONE No subprocess or shell execution found in the codebase
环境变量 NONE NONE No access to process.env or environment variables
技能调用 NONE NONE No skill invocation capabilities detected
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database access
1 项发现
🔗
中危 外部 URL 外部 URL
https://api.coingecko.com/api/v3
scripts/track_portfolio.js:11

目录结构

4 文件 · 6.1 KB · 241 行
JavaScript 2f · 142L Markdown 1f · 65L JSON 1f · 34L
├─ 📁 references
│ └─ 🔑 config.json JSON 34L · 533 B
├─ 📁 scripts
│ ├─ 📜 set_alert.js JavaScript 58L · 1.4 KB
│ └─ 📜 track_portfolio.js JavaScript 84L · 2.4 KB
└─ 📝 SKILL.md Markdown 65L · 1.7 KB

安全亮点

✓ No credential theft or harvesting detected - all API key fields in config.json are empty/disabled
✓ No shell command injection or subprocess execution
✓ No data exfiltration to external servers beyond legitimate CoinGecko API calls
✓ No obfuscation techniques (base64, eval, atob) detected
✓ No sensitive file access (no ~/.ssh, ~/.aws, .env reads)
✓ No persistence mechanisms (no cron, startup hooks, or backdoor installation)
✓ No reverse shell or C2 communication patterns
✓ Code is clean and straightforward with no hidden functionality