中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 25/100
Last scan:2 days ago Rescan
25 /100
tronlink-skills
AI Agent skills for TronLink wallet - wallet management, token queries, DEX swap quotes, energy/bandwidth resource management, and TRX staking on the TRON network
A legitimate read-only TRON blockchain querying skill with no malicious behavior, but flagged for curl|sh installation patterns documented in README.
Skill Nametronlink-skills
Duration53.7s
Enginepi
Safe to install
The skill is safe for read-only blockchain queries. Avoid the curl|sh installation pattern; clone the repo and run install.sh locally instead.

Findings 3 items

Severity Finding Location
Medium
curl|sh installation pattern documented
README.md documents the dangerous curl|sh pattern for installation. While the install.sh script itself is non-malicious (just git clone + symlinks), piping remote scripts to shell is inherently risky.
curl -sSL https://raw.githubusercontent.com/TronLink/tronlink-skills/main/install.sh | sh
→ Use local installation: git clone the repo, then run sh install.sh --local /path/to/repo
 README.md:16
Low
Non-standard Sun.io router domain
The Sun.io Smart Router API uses 'endjgfsv.link' domains instead of api.sun.io. While the code comments explain this is from the frontend bundle, the obfuscated domain is unusual for a major DEX.
const SUNIO_ROUTER_API = { mainnet: 'https://rot.endjgfsv.link', ... }
→ Verify this domain is legitimate Sun.io infrastructure before using swap commands
 scripts/tron_api.mjs:35
Info
Node.js subprocess in MCP server
mcp_server.mjs uses execFile to spawn node processes for tron_api.mjs commands. This is standard MCP architecture and is documented.
execFile('node', [TRON_API, ...args], { timeout: 30000 }, ...)
→ No action needed - this is expected MCP behavior
 scripts/mcp_server.mjs:183
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE All operations are HTTP API calls; no local file access in tron_api.mjs
Network READ READ ✓ Aligned Only GET/POST to public TronGrid, TronScan, CoinGecko APIs
Shell NONE NONE mcp_server.mjs uses execFile only for spawning node process - necessary for MCP …
Environment READ READ ✓ Aligned Reads TRONGRID_API_KEY, TRON_NETWORK - declared in docs
Skill Invoke WRITE WRITE ✓ Aligned Routes to sub-skills (tron-wallet, tron-token, etc.) - declared in SKILL.md
2 Critical 21 findings
💀
Critical Dangerous Command 危险 Shell 命令
curl -sSL https://raw.githubusercontent.com/TronLink/tronlink-skills/main/install.sh | sh
README.md:16
💀
Critical Dangerous Command 危险 Shell 命令
curl -sSL https://raw.githubusercontent.com/TronLink/tronlink-skills/main/uninstall.sh | sh
README.md:28
🔗
Medium External URL 外部 URL
https://www.trongrid.io/dashboard
README.md:106
🔗
Medium External URL 外部 URL
https://api.trongrid.io
README.md:120
🔗
Medium External URL 外部 URL
https://api.shasta.trongrid.io
README.md:121
🔗
Medium External URL 外部 URL
https://nile.trongrid.io
README.md:122
🔗
Medium External URL 外部 URL
https://trongrid.io
SKILL.md:8
🔗
Medium External URL 外部 URL
https://www.trongrid.io/dashboard.
docs/claude-integration-guide.md:207
🔗
Medium External URL 外部 URL
https://nodejs.org
install.sh:271
🔗
Medium External URL 外部 URL
https://paulmillr.com/funding/
package-lock.json:55
🔗
Medium External URL 外部 URL
https://www.buymeacoffee.com/ricmoo
package-lock.json:281
🔗
Medium External URL 外部 URL
https://apilist.tronscanapi.com/api
scripts/tron_api.mjs:30
🔗
Medium External URL 外部 URL
https://docs.sun.io/developers/swap/smart-router
scripts/tron_api.mjs:35
🔗
Medium External URL 外部 URL
https://rot.endjgfsv.link
scripts/tron_api.mjs:37
🔗
Medium External URL 外部 URL
https://tnrouter.endjgfsv.link
scripts/tron_api.mjs:38
🔗
Medium External URL 外部 URL
https://api.coingecko.com/api/v3
scripts/tron_api.mjs:43
🔗
Medium External URL 外部 URL
https://tronscan.org/#/token20/$
scripts/tron_api.mjs:594
🔗
Medium External URL 外部 URL
https://sunswap.com
scripts/tron_api.mjs:766
🔗
Medium External URL 外部 URL
https://tronscan.org/#/transaction/$
scripts/tron_api.mjs:810
🔗
Medium External URL 外部 URL
https://tronnrg.com
scripts/tron_api.mjs:909
🔗
Medium External URL 外部 URL
https://justlend.org
scripts/tron_api.mjs:910

File Tree

19 files · 150.7 KB · 4345 lines
JavaScript 2f · 1703L Markdown 11f · 1432L JSON 3f · 660L Shell 3f · 550L
├─ 📁 docs
│ ├─ 📝 claude-integration-guide.md Markdown 210L · 6.7 KB
│ ├─ 🔧 integration-guide.sh Shell 61L · 2.9 KB
│ ├─ 📝 resource-model.md Markdown 93L · 3.5 KB
│ └─ 📝 staking-guide.md Markdown 115L · 3.9 KB
├─ 📁 scripts
│ ├─ 📜 mcp_server.mjs JavaScript 497L · 15.1 KB
│ └─ 📜 tron_api.mjs JavaScript 1206L · 45.6 KB
├─ 📁 skills
│ ├─ 📁 tron-market
│ │ └─ 📝 SKILL.md Markdown 116L · 3.2 KB
│ ├─ 📁 tron-resource
│ │ └─ 📝 SKILL.md Markdown 139L · 4.8 KB
│ ├─ 📁 tron-staking
│ │ └─ 📝 SKILL.md Markdown 100L · 3.6 KB
│ ├─ 📁 tron-swap
│ │ └─ 📝 SKILL.md Markdown 110L · 3.6 KB
│ ├─ 📁 tron-token
│ │ └─ 📝 SKILL.md Markdown 108L · 3.2 KB
│ └─ 📁 tron-wallet
│ └─ 📝 SKILL.md Markdown 119L · 3.8 KB
├─ 📋 _meta.json JSON 13L · 503 B
├─ 🔧 install.sh Shell 325L · 11.6 KB
├─ 📋 package-lock.json JSON 606L · 20.7 KB
├─ 📋 package.json JSON 41L · 1.3 KB
├─ 📝 README.md Markdown 203L · 6.0 KB
├─ 📝 SKILL.md Markdown 119L · 3.8 KB
└─ 🔧 uninstall.sh Shell 164L · 6.8 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
none N/A native No Zero external dependencies - uses only Node.js native modules (fetch, crypto, child_process)

Security Positives

✓ Zero npm dependencies - uses only native Node.js 18+ fetch and crypto
✓ No credential harvesting or exfiltration
✓ No sensitive file access (~/.ssh, ~/.aws, .env)
✓ No base64-encoded payloads or eval() calls
✓ Read-only operations - no private key handling or transaction signing
✓ Uses only public blockchain APIs (TronGrid, TronScan, CoinGecko)
✓ Comprehensive SKILL.md documentation matches implementation
✓ Well-structured code with proper error handling