security-defense-line Security Report — Low Risk | ClawSafe

25 /100

security-defense-line

Blockchain security audit and wallet protection skill

Skill provides legitimate blockchain security analysis tools with a hardcoded billing API key as the primary concern.

Skill Namesecurity-defense-line

Duration41.3s

Enginepi

✓

Safe to install

Move BILLING_API_KEY to environment variable instead of hardcoding. Otherwise the skill's core functionality appears benign with simulated data for demonstration.

Findings 4 items

Severity	Finding	Location
High	Hardcoded Billing API Key The SkillPay billing API key is hardcoded in payment.py at line 12. This exposes the key in source code which could be extracted and abused. `BILLING_API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"` → Move to environment variable: os.environ.get('SKILLPAY_API_KEY') with fallback error	`payment.py:12`
Low	Subprocess Documentation Mismatch The references/contract-auditing.md documents subprocess.run for running Slither/Mythril, but the actual scripts/contract_auditor.py uses mock data instead of real tool execution. `subprocess.run(['slither', contract_path, '--json', '-'], capture_output=True, text=True, timeout=300)` → Either implement the subprocess calls or remove documentation to avoid confusion	`references/contract-auditing.md:185`
Info	Simulated Data Without Real API Calls Scripts simulate security analysis results using random.random() instead of actual API calls to Etherscan, blockchain nodes, or security tools. `is_verified = random.random() < 0.7` → If intended for production, implement actual API integrations	`scripts/wallet_guardian.py:73`
Info	SkillPay Requires Payment The skill implements a billing system that charges 0.01 USDT per call via skillpay.me. This is declared but affects user experience. `每次调用费用：0.01 USDT` → Ensure payment flow is clear to users before first use	`payment.py:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	Script files read/write local reports
Network	`NONE`	`READ`	✓ Aligned	Makes HTTP calls to skillpay.me for billing
Shell	`NONE`	`NONE`	—	References document subprocess but scripts don't use it
Environment	`NONE`	`READ`	✓ Aligned	Reads SKILLPAY_USER_ID env var only
Skill Invoke	`NONE`	`WRITE`	✓ Aligned	SkillPay billing integration charges users on each call

1 High 22 findings

🔑

High API Key 疑似硬编码凭证

API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"

payment.py:12

🔗

Medium External URL 外部 URL

https://suspicious-site.com

SKILL.md:106

🔗

Medium External URL 外部 URL

https://skillpay.me

payment.py:11

🔗

Medium External URL 外部 URL

https://swcregistry.io/

references/contract-auditing.md:238

🔗

Medium External URL 外部 URL

https://consensys.github.io/smart-contract-best-practices/

references/contract-auditing.md:239

🔗

Medium External URL 外部 URL

https://docs.openzeppelin.com/contracts/

references/contract-auditing.md:240

🔗

Medium External URL 外部 URL

https://www.certora.com/

references/contract-auditing.md:241

🔗

Medium External URL 外部 URL

https://swcregistry.io/docs/SWC-107

scripts/contract_auditor.py:160

🔗

Medium External URL 外部 URL

https://consensys.github.io/smart-contract-best-practices/attacks/reentrancy/

scripts/contract_auditor.py:161

🔗

Medium External URL 外部 URL

https://swcregistry.io/docs/SWC-104

scripts/contract_auditor.py:164

🔗

Medium External URL 外部 URL

https://swcregistry.io/docs/SWC-115

scripts/contract_auditor.py:167

🔗

Medium External URL 外部 URL

https://docs.soliditylang.org/en/v0.8.0/080-breaking-changes.html

scripts/contract_auditor.py:190

💰

Medium Wallet Address 加密货币钱包地址

0x1111111111111111111111111111111111111111

scripts/multisig_manager.py:51

💰

Medium Wallet Address 加密货币钱包地址

0x2222222222222222222222222222222222222222

scripts/multisig_manager.py:52

💰

Medium Wallet Address 加密货币钱包地址

0x3333333333333333333333333333333333333333

scripts/multisig_manager.py:53

🔗

Medium External URL 外部 URL

https://uniswap.org

scripts/phishing_detector.py:316

🔗

Medium External URL 外部 URL

https://uniswop.org

scripts/phishing_detector.py:317

🔗

Medium External URL 外部 URL

https://claim-free-tokens.xyz

scripts/phishing_detector.py:318

🔗

Medium External URL 外部 URL

https://ethereum.org

scripts/phishing_detector.py:319

💰

Medium Wallet Address 加密货币钱包地址

0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D

scripts/tx_validator.py:314

💰

Medium Wallet Address 加密货币钱包地址

0x0000000000000000000000000000000000000000

scripts/wallet_guardian.py:37

💰

Medium Wallet Address 加密货币钱包地址

0xdead00000000000000000000000000000000dead

scripts/wallet_guardian.py:38

File Tree

10 files · 87.2 KB · 2745 lines

Python 7f · 2081L Markdown 2f · 645L JSON 1f · 19L

├─ ▾ 📁 references

│ └─ 📝 contract-auditing.md Markdown 245L · 6.3 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 contract_auditor.py Python 324L · 11.2 KB

│ ├─ 🐍 incident_responder.py Python 321L · 10.5 KB

│ ├─ 🐍 multisig_manager.py Python 327L · 10.5 KB

│ ├─ 🐍 phishing_detector.py Python 339L · 11.5 KB

│ ├─ 🐍 tx_validator.py Python 336L · 11.2 KB

│ └─ 🐍 wallet_guardian.py Python 292L · 10.2 KB

├─ 📋 _meta.json JSON 19L · 442 B

├─ 🐍 payment.py Python 142L · 5.2 KB

└─ 📝 SKILL.md Markdown 400L · 10.2 KB

Dependencies 4 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned, used for billing API calls
`logging`	`stdlib`	stdlib	No	Standard library only
`json`	`stdlib`	stdlib	No	Standard library only
`random`	`stdlib`	stdlib	No	Standard library only

Security Positives

✓ No credential harvesting from sensitive paths (~/.ssh, ~/.aws, .env)

✓ No base64-encoded payloads or eval() usage

✓ No reverse shell or C2 infrastructure indicators

✓ Scripts use mock/simulated data rather than making actual risky API calls

✓ No hidden functionality beyond declared features

✓ No exfiltration of user data observed

✓ Skill functionality aligns with documentation

Scan Report

Findings 4 items

File Tree

Dependencies 4 items

Security Positives