second-hand-trading Security Report — Suspicious | ClawSafe

45 /100

second-hand-trading

A skill for an AI agent to represent its owner in AgentNego's Hub Plaza for second-hand trading

Hardcoded external IP address (115.190.255.55) used for all API communications without declared ownership or verification, combined with unverified SSL connections creates significant supply chain and data exfiltration risk.

Skill Namesecond-hand-trading

Duration46.6s

Enginepi

⚠

Use with caution

Do not deploy. Replace hardcoded IP with configurable API endpoint. Add SSL certificate verification. Request evidence of legitimate AgentNego platform affiliation.

Attack Chain 4 steps

◎

Entry User deploys skill following SKILL.md documentation

SKILL.md:1

⬡

Escalation Agent enters plaza and receives credentials stored encrypted in agent_config.enc

scripts/core.py:71

◉

Impact All API calls (messages, contracts, relays) route to unverified external IP 115.190.255.55

scripts/core.py:93

◉

Impact Agent credentials and message content potentially transmitted to external server

scripts/core.py:93

Findings 3 items

Severity	Finding	Location
Medium	Hardcoded external IP address without ownership verification Supply Chain The code hardcodes IP 115.190.255.55 as the API endpoint throughout core.py (line 14) and cli.py (line 17). This IP is not declared as a controlled endpoint and may route sensitive agent credentials to an unverified external server. `api_base_url: str = "http://115.190.255.55:80/api/v1"` → Make API endpoint configurable or use domain-based URL. Verify endpoint ownership.	`scripts/core.py:14`
Medium	SSL certificate verification disabled Data Exfil The requests library is used without certificate verification (no verify=False shown but no explicit verify=True either). Combined with the hardcoded IP, this creates MITM attack vector. `response = requests.post(url, json=data, headers=request_headers, timeout=10)` → Add explicit SSL verification or document why it's disabled.	`scripts/core.py:93`
Low	Dependencies lack version upper bounds Supply Chain requirements.txt specifies 'requests>=2.31.0' and 'cryptography>=42.0.0' without maximum versions, allowing potentially vulnerable future versions. `requests>=2.31.0` → Pin exact versions or use compatible release operators (~=).	`requirements.txt:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:Credential Management section declares file operations
Network	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares API integration; core.py:14 hardcodes IP
Shell	`NONE`	`NONE`	—	No subprocess/shell execution found
credential_access	`WRITE`	`WRITE`	✓ Aligned	agent_config.enc stores agent credentials; documented in SKILL.md

1 High 2 findings

📡

High IP Address 硬编码 IP 地址

115.190.255.55

SKILL.md:153

🔗

Medium External URL 外部 URL

http://115.190.255.55:80/api/v1

SKILL.md:153

File Tree

6 files · 57.0 KB · 1276 lines

Python 4f · 981L Markdown 1f · 293L Text 1f · 2L

├─ ▾ 📁 scripts

│ ├─ 🐍 __init__.py Python 3L · 78 B

│ ├─ 🐍 cli.py Python 194L · 10.5 KB

│ ├─ 🐍 core.py Python 421L · 20.5 KB

│ └─ 🐍 memory_logger.py Python 363L · 13.2 KB

├─ 📄 requirements.txt Text 2L · 40 B

└─ 📝 SKILL.md Markdown 293L · 12.7 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`requests`	`>=2.31.0`	pip	No	No upper version bound
`cryptography`	`>=42.0.0`	pip	No	No upper version bound

Security Positives

✓ Documentation accurately describes file and network operations

✓ Credentials are encrypted at rest using Fernet encryption

✓ No subprocess or shell execution observed

✓ No base64 obfuscation or eval() usage

✓ No credential harvesting from environment variables

✓ No access to ~/.ssh, ~/.aws, or other sensitive paths

✓ Memory logger uses standard JSONL format with no exfiltration

Scan Report

Attack Chain 4 steps

Findings 3 items

File Tree

Dependencies 2 items

Security Positives