vantage 安全扫描报告 — 可信 | ClawSafe

5 /100

vantage

Vantage — Autonomous trading agent for Hyperliquid perpetual futures. Signal-to-execution in one loop. Runs on your machine. No cloud infra.

Vantage is a legitimate autonomous trading agent for Hyperliquid perpetual futures. All observed behavior—private key signing, market data fetching, trade execution, and LLM decision integration—is directly declared, cryptographically sound, and consistent with documented purpose.

技能名称vantage

分析耗时44.8s

引擎pi

✓

可以安装

No action required. The skill is safe to use. Users should still protect their HYPERLIQUID_PRIVATE_KEY as they would any signing key.

安全发现 1 项

严重性	安全发现	位置
低危	NPM dependencies use unpinned version ranges 供应链 package.json uses caret ranges (^1.6.0, ^16.0.0, ^6.16.0, ^3.1.3) instead of exact pinned versions. This allows minor/patch updates to be auto-installed, creating a supply-chain attack window. `"axios": "^1.6.0", "dotenv": "^16.0.0", "ethers": "^6.16.0", "@msgpack/msgpack": "^3.1.3"` → Pin dependencies to exact versions (e.g., "axios": "1.6.0") and update deliberately via npm audit.	`package.json:10`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ+WRITE`	✓ 一致	src/hyperliquid.js:14 reads/writes data/paper-trades.json
网络访问	`READ`	`READ+WRITE`	✓ 一致	src/trader.js:159 POSTs signed orders to Hyperliquid exchange API; src/index.js:…
命令执行	`NONE`	`NONE`	—	No shell/subprocess calls found
环境变量	`READ`	`READ`	✓ 一致	process.env used for config only; no iteration over all env vars
技能调用	`NONE`	`NONE`	—	No inter-skill invocation found
剪贴板	`NONE`	`NONE`	—	No clipboard access found
浏览器	`NONE`	`NONE`	—	No browser automation found
数据库	`NONE`	`NONE`	—	No database access found

19 项发现

🔗

中危外部 URL 外部 URL

https://ollama.com

README.md:212

🔗

中危外部 URL 外部 URL

https://morebetterstudios.com/products

SKILL.md:17

🔗

中危外部 URL 外部 URL

https://paulmillr.com/funding/

package-lock.json:41

🔗

中危外部 URL 外部 URL

https://dotenvx.com

package-lock.json:131

🔗

中危外部 URL 外部 URL

https://www.buymeacoffee.com/ricmoo

package-lock.json:204

💰

中危钱包地址加密货币钱包地址

0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48

skills/thorchain-routing/SKILL.md:12

🔗

中危外部 URL 外部 URL

https://thornode.ninerealms.com

skills/thorchain-routing/index.js:12

🔗

中危外部 URL 外部 URL

https://midgard.ninerealms.com/v2

skills/thorchain-routing/index.js:13

🔗

中危外部 URL 外部 URL

https://hyperliquid.gitbook.io/hyperliquid-docs/for-developers/api/info-endpoint

src/hyperliquid.js:5

🔗

中危外部 URL 外部 URL

https://api.hyperliquid.xyz/info

src/hyperliquid.js:14

🔗

中危外部 URL 外部 URL

https://api.coingecko.com/api/v3/simple/price?ids=thorchain&vs_currencies=usd&include_24hr_change=true&include_24hr_vol=...

src/research.js:22

🔗

中危外部 URL 外部 URL

https://thornode.ninerealms.com/thorchain/network

src/research.js:30

🔗

中危外部 URL 外部 URL

https://midgard.ninerealms.com/v2/pools?status=Available&order=volume24h&limit=$

src/research.js:37

🔗

中危外部 URL 外部 URL

https://api.coingecko.com/api/v3/simple/price?ids=thorchain&vs_currencies=usd

src/setup-check.js:168

🔗

中危外部 URL 外部 URL

https://midgard.ninerealms.com/v2/stats

src/setup-check.js:175

🔗

中危外部 URL 外部 URL

https://midgard.ninerealms.com

src/signals.js:25

🔗

中危外部 URL 外部 URL

https://api.coingecko.com/api/v3

src/signals.js:27

🔗

中危外部 URL 外部 URL

https://api.hyperliquid.xyz/exchange

src/trader.js:22

💰

中危钱包地址加密货币钱包地址

0x0000000000000000000000000000000000000000

src/trader.js:127

目录结构

16 文件 · 114.2 KB · 3239 行

JavaScript 9f · 2357L JSON 3f · 444L Markdown 4f · 438L

├─ ▾ 📁 skills

│ ├─ ▾ 📁 thorchain-routing

│ │ ├─ 📜 index.js JavaScript 207L · 7.5 KB

│ │ ├─ 📋 package.json JSON 19L · 647 B

│ │ └─ 📝 SKILL.md Markdown 34L · 1.1 KB

│ └─ ▾ 📁 vantage

│ └─ 📝 SKILL.md Markdown 96L · 2.8 KB

├─ ▾ 📁 src

│ ├─ 📜 hyperliquid.js JavaScript 177L · 5.4 KB

│ ├─ 📜 index.js JavaScript 592L · 23.4 KB

│ ├─ 📜 research.js JavaScript 274L · 9.5 KB

│ ├─ 📜 setup-check.js JavaScript 278L · 12.1 KB

│ ├─ 📜 signals.js JavaScript 351L · 12.1 KB

│ ├─ 📜 sizing.js JavaScript 54L · 2.1 KB

│ ├─ 📜 thorchain.js JavaScript 77L · 2.2 KB

│ └─ 📜 trader.js JavaScript 347L · 11.2 KB

├─ 📋 package-lock.json JSON 424L · 14.6 KB

├─ 📋 package.json JSON 1L · 322 B

├─ 📝 README.md Markdown 212L · 6.5 KB

└─ 📝 SKILL.md Markdown 96L · 2.8 KB

依赖分析 4 项

包名	版本	来源	已知漏洞	备注
`axios`	`^1.6.0`	npm	否	Caret range — minor version drift possible
`dotenv`	`^16.0.0`	npm	否	Caret range
`ethers`	`^6.16.0`	npm	否	Caret range
`@msgpack/msgpack`	`^3.1.3`	npm	否	Caret range

安全亮点

✓ No shell execution, subprocess calls, or system command invocation found

✓ No base64-encoded payloads, obfuscation, or eval() usage

✓ Private key is used only for cryptographic signing via ethers.js EIP-712; key is never logged or transmitted to any server

✓ All network calls are to documented, well-known public APIs (Hyperliquid, CoinGecko, THORChain Midgard/THORNode, Ollama/OpenAI)

✓ Paper trading mode is enforced when private key is absent, preventing accidental live trades during testing

✓ Input validation on private key format (0x-prefixed 64-char hex) prevents misuse of malformed keys

✓ No access to sensitive filesystem paths (~/.ssh, ~/.aws, .env file itself)

✓ Error sanitization strips private key from error messages before logging

✓ No hidden functionality or shadow behavior; code is readable and matches documentation