中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
bankofbots
Trust layer for agentic commerce. Build a BOB Score from on-chain payment proofs and x402 receipts, then borrow USDC credit lines based on your score. Non-custodial — BOB never holds your funds.
This is a documentation-only skill (SKILL.md + reference docs) with no executable code or scripts. All behavior is described transparently in SKILL.md.
技能名称bankofbots
分析耗时30.2s
引擎pi
可以安装
No immediate action needed. The skill is safe to use as a reference layer for the `bob` CLI. Monitor `BOB_API_KEY` usage and operator inbox commands for unexpected behavior at runtime.

安全发现 2 项

严重性 安全发现 位置
低危
Environment variables declared but values not scoped
SKILL.md metadata declares BOB_API_KEY and BOB_AGENT_ID as required. While documented, these are sensitive credentials that the bob CLI uses for all API calls. No scope limitation is specified.
requires:{"env":["BOB_API_KEY","BOB_AGENT_ID"]}
→ Ensure BOB_API_KEY is scoped to the minimum required permissions in the BOB dashboard.
 SKILL.md:8
低危
Operator inbox commands not pre-validated
bob inbox check processes pending operator commands including 'wallet.provision' and future types like 'transfer.request', 'loan.accept', 'kill_switch', 'key.rotate'. Commands are processed at runtime without pre-scan validation.
Future: transfer.request, loan.accept, kill_switch, key.rotate
→ Review operator commands in the BOB dashboard before deployment. Ensure operator is trusted.
 SKILL.md:262
资源类型声明权限推断权限状态证据
文件系统 NONE NONE No filesystem access declared or inferred; all markdown files only
网络访问 READ READ ✓ 一致 SKILL.md:85 — production API https://api.bankofbots.ai/api/v1
命令执行 NONE NONE No shell commands in markdown; describes bob CLI invocations only
环境变量 READ READ ✓ 一致 SKILL.md metadata — requires BOB_API_KEY, BOB_AGENT_ID; optional BOB_API_URL
技能调用 NONE NONE No skill-to-skill invocations described
剪贴板 NONE NONE Not referenced in any file
浏览器 NONE NONE Not referenced in any file
数据库 NONE NONE Not referenced in any file
6 项发现
🔗
中危 外部 URL 外部 URL
https://bankofbots.ai
README.md:45
🔗
中危 外部 URL 外部 URL
https://api.bankofbots.ai/docs
README.md:47
🔗
中危 外部 URL 外部 URL
https://bankofbots.ai/docs/agent-setup
README.md:48
🔗
中危 外部 URL 外部 URL
https://www.npmjs.com/package/@bankofbots/skill
README.md:49
🔗
中危 外部 URL 外部 URL
https://api.bankofbots.ai/api/v1
SKILL.md:85
🔗
中危 外部 URL 外部 URL
https://api.merchant.com/v1/chat
SKILL.md:251

目录结构

6 文件 · 27.5 KB · 779 行
Markdown 6f · 779L
├─ 📁 references
│ ├─ 📝 commands.md Markdown 97L · 3.1 KB
│ ├─ 📝 errors.md Markdown 36L · 1.3 KB
│ ├─ 📝 proofs.md Markdown 115L · 4.5 KB
│ └─ 📝 scoring.md Markdown 55L · 2.1 KB
├─ 📝 README.md Markdown 51L · 1.4 KB
└─ 📝 SKILL.md Markdown 425L · 15.2 KB

安全亮点

✓ No executable scripts — this is a documentation-only package (markdown files only)
✓ No base64-encoded payloads or obfuscated code detected
✓ All behavior is fully described in SKILL.md with no hidden functionality
✓ No filesystem writes, no credential harvesting patterns, no remote script execution
✓ Wallet key generation is documented as client-side (local keyring), not exfiltrated
✓ Consistent doc-to-code alignment — what is described is what is delivered
✓ Loan repayment and fund transfers are documented as on-chain operations (verifiable on public ledger)