security-defense-line Security Report — Suspicious | ClawSafe

45 /100

security-defense-line

区块链安全防护与威胁防御系统 - 智能合约审计、钱包安全、交易验证、钓鱼检测等

Skill contains hardcoded API key in payment.py and undeclared network access for billing integration. While no malicious behavior observed, the hardcoded credential represents significant supply chain risk.

Skill Namesecurity-defense-line

Duration46.9s

Enginepi

⚠

Use with caution

Move BILLING_API_KEY to environment variable. Explicitly declare network access in SKILL.md capability map. Consider using a secrets management service instead of hardcoding credentials.

Findings 3 items

Severity	Finding	Location
High	Hardcoded API Key in Source Code Credential Theft A valid-looking API key is hardcoded directly in payment.py line 12. This is a supply chain security risk as the key could be extracted and abused. `BILLING_API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"` → Move API key to environment variable: os.environ.get('SKILLPAY_API_KEY') or use a secrets manager	`payment.py:12`
Medium	Undeclared Network Access Doc Mismatch The skill makes HTTP requests to external service skillpay.me but network access is not declared in SKILL.md capability declarations. `requests.get(f"{BILLING_API_URL}/api/v1/billing/balance"...)` → Add network:READ and network:WRITE to declared capabilities if network access is required	`payment.py:26`
Medium	Unpinned Dependencies Supply Chain The skill uses requests library without version pinning. requests==2.31.0 is recommended. `import requests` → Pin requests to specific version: requests==2.31.0	`payment.py:3`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file operations found
Network	`NONE`	`READ`	✗ Violation	payment.py:26-45 makes HTTP requests to skillpay.me
Shell	`NONE`	`NONE`	—	SKILL.md shows bash examples but scripts use no shell:WRITE
Environment	`NONE`	`READ`	✗ Violation	payment.py:60 reads SKILLPAY_USER_ID from os.environ

1 High 22 findings

🔑

High API Key 疑似硬编码凭证

API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"

payment.py:12

🔗

Medium External URL 外部 URL

https://suspicious-site.com

SKILL.md:106

🔗

Medium External URL 外部 URL

https://skillpay.me

payment.py:11

🔗

Medium External URL 外部 URL

https://swcregistry.io/

references/contract-auditing.md:238

🔗

Medium External URL 外部 URL

https://consensys.github.io/smart-contract-best-practices/

references/contract-auditing.md:239

🔗

Medium External URL 外部 URL

https://docs.openzeppelin.com/contracts/

references/contract-auditing.md:240

🔗

Medium External URL 外部 URL

https://www.certora.com/

references/contract-auditing.md:241

🔗

Medium External URL 外部 URL

https://swcregistry.io/docs/SWC-107

scripts/contract_auditor.py:160

🔗

Medium External URL 外部 URL

https://consensys.github.io/smart-contract-best-practices/attacks/reentrancy/

scripts/contract_auditor.py:161

🔗

Medium External URL 外部 URL

https://swcregistry.io/docs/SWC-104

scripts/contract_auditor.py:164

🔗

Medium External URL 外部 URL

https://swcregistry.io/docs/SWC-115

scripts/contract_auditor.py:167

🔗

Medium External URL 外部 URL

https://docs.soliditylang.org/en/v0.8.0/080-breaking-changes.html

scripts/contract_auditor.py:190

💰

Medium Wallet Address 加密货币钱包地址

0x1111111111111111111111111111111111111111

scripts/multisig_manager.py:51

💰

Medium Wallet Address 加密货币钱包地址

0x2222222222222222222222222222222222222222

scripts/multisig_manager.py:52

💰

Medium Wallet Address 加密货币钱包地址

0x3333333333333333333333333333333333333333

scripts/multisig_manager.py:53

🔗

Medium External URL 外部 URL

https://uniswap.org

scripts/phishing_detector.py:316

🔗

Medium External URL 外部 URL

https://uniswop.org

scripts/phishing_detector.py:317

🔗

Medium External URL 外部 URL

https://claim-free-tokens.xyz

scripts/phishing_detector.py:318

🔗

Medium External URL 外部 URL

https://ethereum.org

scripts/phishing_detector.py:319

💰

Medium Wallet Address 加密货币钱包地址

0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D

scripts/tx_validator.py:314

💰

Medium Wallet Address 加密货币钱包地址

0x0000000000000000000000000000000000000000

scripts/wallet_guardian.py:37

💰

Medium Wallet Address 加密货币钱包地址

0xdead00000000000000000000000000000000dead

scripts/wallet_guardian.py:38

File Tree

10 files · 87.2 KB · 2745 lines

Python 7f · 2081L Markdown 2f · 645L JSON 1f · 19L

├─ ▾ 📁 references

│ └─ 📝 contract-auditing.md Markdown 245L · 6.3 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 contract_auditor.py Python 324L · 11.2 KB

│ ├─ 🐍 incident_responder.py Python 321L · 10.5 KB

│ ├─ 🐍 multisig_manager.py Python 327L · 10.5 KB

│ ├─ 🐍 phishing_detector.py Python 339L · 11.5 KB

│ ├─ 🐍 tx_validator.py Python 336L · 11.2 KB

│ └─ 🐍 wallet_guardian.py Python 292L · 10.2 KB

├─ 📋 _meta.json JSON 19L · 442 B

├─ 🐍 payment.py Python 142L · 5.2 KB

└─ 📝 SKILL.md Markdown 400L · 10.2 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned, no known vulnerabilities

Security Positives

✓ No credential harvesting from sensitive paths (~/.ssh, ~/.aws, .env)

✓ No base64-encoded execution or obfuscation detected

✓ No curl|bash remote script execution

✓ No reverse shell attempts or C2 communication

✓ No access to private keys or mnemonic phrases in actual code

✓ Scripts are primarily mock implementations for security analysis

✓ SKILL.md mentions payment integration transparently

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives