security-defense-line 安全扫描报告 — 低风险 | ClawSafe

25 /100

security-defense-line

Blockchain security audit and wallet protection skill

Skill provides legitimate blockchain security analysis tools with a hardcoded billing API key as the primary concern.

技能名称security-defense-line

分析耗时41.3s

引擎pi

✓

可以安装

Move BILLING_API_KEY to environment variable instead of hardcoding. Otherwise the skill's core functionality appears benign with simulated data for demonstration.

安全发现 4 项

严重性	安全发现	位置
高危	Hardcoded Billing API Key The SkillPay billing API key is hardcoded in payment.py at line 12. This exposes the key in source code which could be extracted and abused. `BILLING_API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"` → Move to environment variable: os.environ.get('SKILLPAY_API_KEY') with fallback error	`payment.py:12`
低危	Subprocess Documentation Mismatch The references/contract-auditing.md documents subprocess.run for running Slither/Mythril, but the actual scripts/contract_auditor.py uses mock data instead of real tool execution. `subprocess.run(['slither', contract_path, '--json', '-'], capture_output=True, text=True, timeout=300)` → Either implement the subprocess calls or remove documentation to avoid confusion	`references/contract-auditing.md:185`
提示	Simulated Data Without Real API Calls Scripts simulate security analysis results using random.random() instead of actual API calls to Etherscan, blockchain nodes, or security tools. `is_verified = random.random() < 0.7` → If intended for production, implement actual API integrations	`scripts/wallet_guardian.py:73`
提示	SkillPay Requires Payment The skill implements a billing system that charges 0.01 USDT per call via skillpay.me. This is declared but affects user experience. `每次调用费用：0.01 USDT` → Ensure payment flow is clear to users before first use	`payment.py:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	Script files read/write local reports
网络访问	`NONE`	`READ`	✓ 一致	Makes HTTP calls to skillpay.me for billing
命令执行	`NONE`	`NONE`	—	References document subprocess but scripts don't use it
环境变量	`NONE`	`READ`	✓ 一致	Reads SKILLPAY_USER_ID env var only
技能调用	`NONE`	`WRITE`	✓ 一致	SkillPay billing integration charges users on each call

1 高危 22 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"

payment.py:12

🔗

中危外部 URL 外部 URL

https://suspicious-site.com

SKILL.md:106

🔗

中危外部 URL 外部 URL

https://skillpay.me

payment.py:11

🔗

中危外部 URL 外部 URL

https://swcregistry.io/

references/contract-auditing.md:238

🔗

中危外部 URL 外部 URL

https://consensys.github.io/smart-contract-best-practices/

references/contract-auditing.md:239

🔗

中危外部 URL 外部 URL

https://docs.openzeppelin.com/contracts/

references/contract-auditing.md:240

🔗

中危外部 URL 外部 URL

https://www.certora.com/

references/contract-auditing.md:241

🔗

中危外部 URL 外部 URL

https://swcregistry.io/docs/SWC-107

scripts/contract_auditor.py:160

🔗

中危外部 URL 外部 URL

https://consensys.github.io/smart-contract-best-practices/attacks/reentrancy/

scripts/contract_auditor.py:161

🔗

中危外部 URL 外部 URL

https://swcregistry.io/docs/SWC-104

scripts/contract_auditor.py:164

🔗

中危外部 URL 外部 URL

https://swcregistry.io/docs/SWC-115

scripts/contract_auditor.py:167

🔗

中危外部 URL 外部 URL

https://docs.soliditylang.org/en/v0.8.0/080-breaking-changes.html

scripts/contract_auditor.py:190

💰

中危钱包地址加密货币钱包地址

0x1111111111111111111111111111111111111111

scripts/multisig_manager.py:51

💰

中危钱包地址加密货币钱包地址

0x2222222222222222222222222222222222222222

scripts/multisig_manager.py:52

💰

中危钱包地址加密货币钱包地址

0x3333333333333333333333333333333333333333

scripts/multisig_manager.py:53

🔗

中危外部 URL 外部 URL

https://uniswap.org

scripts/phishing_detector.py:316

🔗

中危外部 URL 外部 URL

https://uniswop.org

scripts/phishing_detector.py:317

🔗

中危外部 URL 外部 URL

https://claim-free-tokens.xyz

scripts/phishing_detector.py:318

🔗

中危外部 URL 外部 URL

https://ethereum.org

scripts/phishing_detector.py:319

💰

中危钱包地址加密货币钱包地址

0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D

scripts/tx_validator.py:314

💰

中危钱包地址加密货币钱包地址

0x0000000000000000000000000000000000000000

scripts/wallet_guardian.py:37

💰

中危钱包地址加密货币钱包地址

0xdead00000000000000000000000000000000dead

scripts/wallet_guardian.py:38

目录结构

10 文件 · 87.2 KB · 2745 行

Python 7f · 2081L Markdown 2f · 645L JSON 1f · 19L

├─ ▾ 📁 references

│ └─ 📝 contract-auditing.md Markdown 245L · 6.3 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 contract_auditor.py Python 324L · 11.2 KB

│ ├─ 🐍 incident_responder.py Python 321L · 10.5 KB

│ ├─ 🐍 multisig_manager.py Python 327L · 10.5 KB

│ ├─ 🐍 phishing_detector.py Python 339L · 11.5 KB

│ ├─ 🐍 tx_validator.py Python 336L · 11.2 KB

│ └─ 🐍 wallet_guardian.py Python 292L · 10.2 KB

├─ 📋 _meta.json JSON 19L · 442 B

├─ 🐍 payment.py Python 142L · 5.2 KB

└─ 📝 SKILL.md Markdown 400L · 10.2 KB

依赖分析 4 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Version not pinned, used for billing API calls
`logging`	`stdlib`	stdlib	否	Standard library only
`json`	`stdlib`	stdlib	否	Standard library only
`random`	`stdlib`	stdlib	否	Standard library only

安全亮点

✓ No credential harvesting from sensitive paths (~/.ssh, ~/.aws, .env)

✓ No base64-encoded payloads or eval() usage

✓ No reverse shell or C2 infrastructure indicators

✓ Scripts use mock/simulated data rather than making actual risky API calls

✓ No hidden functionality beyond declared features

✓ No exfiltration of user data observed

✓ Skill functionality aligns with documentation