中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 40/100
上次扫描:21 小时前 重新扫描
40 /100
okx-security
Security scanning skill for OKX Web3: token risk detection, honeypot detection, DApp phishing detection, transaction pre-execution security, signature safety, and approval management
OKX Web3 security scanning skill with documented remote script download/execution from GitHub, creating significant supply chain attack surface despite SHA256 verification.
技能名称okx-security
分析耗时51.9s
引擎pi
谨慎使用
Approve with caution. The skill's remote installer execution pattern is the primary concern. Ensure onchainos binary remains sandboxed to security operations only. Consider pinning to specific version tags rather than always fetching 'latest' to reduce supply chain risk.

安全发现 3 项

严重性 安全发现 位置
中危
Remote installer download and execution 供应链
Skill downloads install.sh from raw.githubusercontent.com and executes it via shell. While SHA256 verification is performed, the attack surface remains significant if GitHub infrastructure or the repo is compromised.
curl -sSL "https://raw.githubusercontent.com/okx/onchainos-skills/${LATEST_TAG}/install.sh" -o /tmp/onchainos-install.sh
→ Consider distributing the binary as a bundled asset within the skill package itself, or pinning to a specific verified release tag rather than always fetching 'latest'.
 SKILL.md:19
中危
Dynamic 'latest' version resolution 供应链
Skill fetches the latest stable release tag from GitHub API on every session. This creates non-deterministic behavior where the installed binary can change between runs, increasing supply chain exposure.
curl -sSL "https://api.github.com/repos/okx/onchainos-skills/releases/latest"
→ Pin to a specific version tag (e.g., v2.0.0) and update only after security review of new releases.
 SKILL.md:15
低危
onchainos binary scope exceeds security scanning 敏感访问
The onchainos CLI covers wallet operations, swaps, and contract calls beyond just security scanning. If the binary is compromised, these capabilities could be abused for unauthorized transactions.
onchainos wallet contract-call, onchainos gateway broadcast, onchainos swap swap
→ Restrict onchainos binary to security commands only if feasible, or document that the broader CLI is a trusted OKX dependency.
 SKILL.md:1
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 SKILL.md:curl GitHub API, raw.githubusercontent.com downloads
命令执行 WRITE WRITE ✓ 一致 SKILL.md:sh /tmp/onchainos-install.sh
文件系统 WRITE WRITE ✓ 一致 SKILL.md:Downloads to /tmp, installs to ~/.local/bin, stores cache in ~/.onchain…
技能调用 READ READ ✓ 一致 SKILL.md:Integrates with okx-agentic-wallet for wallet operations
环境变量 NONE NONE No env access detected in reference files or SKILL.md
7 项发现
🔗
中危 外部 URL 外部 URL
https://web3.okx.com
SKILL.md:8
🔗
中危 外部 URL 外部 URL
https://web3.okx.com/onchain-os/dev-portal
SKILL.md:71
🔗
中危 外部 URL 外部 URL
https://some-dapp.xyz
references/risk-domain-detection.md:14
🔗
中危 外部 URL 外部 URL
https://suspicious-defi.xyz
references/risk-domain-detection.md:42
💰
中危 钱包地址 加密货币钱包地址
0x6982508145454Ce325dDbE47a25d4ec3d2311933
references/risk-token-detection.md:130
💰
中危 钱包地址 加密货币钱包地址
0x25d887Ce7a35172C62FeBFD67a1856F20FaEbB00
references/risk-token-detection.md:131
💰
中危 钱包地址 加密货币钱包地址
0xdAC17F958D2ee523a2206206994597C13D831ec7
references/risk-token-detection.md:145

目录结构

5 文件 · 31.0 KB · 648 行
Markdown 5f · 648L
├─ 📁 references
│ ├─ 📝 risk-approval-monitoring.md Markdown 87L · 3.5 KB
│ ├─ 📝 risk-domain-detection.md Markdown 57L · 1.4 KB
│ ├─ 🔑 risk-token-detection.md Markdown 182L · 8.4 KB
│ └─ 📝 risk-transaction-detection.md Markdown 171L · 7.5 KB
└─ 📝 SKILL.md Markdown 151L · 10.3 KB

依赖分析 1 项

包名版本来源已知漏洞备注
onchainos-skills latest (dynamic) GitHub releases Dynamic 'latest' tag resolution; SHA256 verification performed

安全亮点

✓ SHA256 verification of downloaded installer and binary before execution
✓ Comprehensive documentation of all behaviors in SKILL.md - no hidden functionality detected
✓ Fail-safe principle: blocks transactions if security scan fails
✓ Risk action priority rule clearly defined (block > warn > safe)
✓ Reference files document all risk item types and interpretations
✓ No obfuscation, base64 payloads, or anti-analysis patterns found
✓ References are pure documentation with no executable code
✓ No credential harvesting or sensitive file access detected
✓ No direct IP network requests or C2 communication patterns