valuescan-skill Security Report — Trusted | ClawSafe

5 /100

valuescan-skill

ValueScan 加密货币主力资金流分析工具。支持资金异动监控、主力动向追踪、鲸鱼地址分析、板块轮动、机会/风险代币识别、大户成本分析。

ValueScan cryptocurrency analysis skill with legitimate API wrapper behavior — all capabilities declared, credentials used only for HMAC signing, no shell execution, no exfiltration.

Skill Namevaluescan-skill

Duration48.3s

Enginepi

✓

Safe to install

No action needed. Skill is safe for deployment.

Findings 2 items

Severity	Finding	Location
Info	Reference files marked sensitive are example data only references/base/token-detail.json, token-list.json, and category-tokens.json are flagged sensitive by pre-scan but contain only API schema definitions and example response data. No actual credentials or private keys are present. `example response with symbol=BTC, name=Bitcoin` → No action needed — these are expected reference files for API documentation	`references/base/token-detail.json:1`
Info	IOCs are all legitimate vendor resources All URLs resolve to valuescan.ai domains; crypto wallet addresses are example data in reference files (standard practice for API documentation); support email is for the legitimate vendor. `https://api.valuescan.io, https://www.valuescan.ai, [email protected]` → No action needed — all IOCs are legitimate vendor endpoints	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	script/sdk/vs_api_sign.js:20 reads ~/.openclaw/credentials/valuescan.json
Network	`READ`	`READ`	✓ Aligned	script/sdk/vs_api_sign.js:54-60 sends POST requests only to https://api.valuesca…
Shell	`NONE`	`NONE`	—	No subprocess, exec, or shell command invocations found in any file
Environment	`NONE`	`NONE`	—	No iteration over process.env or os.environ for secrets
credential	`READ`	`READ`	✓ Aligned	SKILL.md declares api_key and secret_key; used solely for HMAC-SHA256 request si…

8 findings

🔗

Medium External URL 外部 URL

https://www.valuescan.ai

SKILL.md:8

🔗

Medium External URL 外部 URL

https://api.valuescan.io/api/open/v1

SKILL.md:158

🔗

Medium External URL 外部 URL

https://www.valuescan.ai/dev-portal/home/

SKILL.md:170

🔗

Medium External URL 外部 URL

https://claw.valuescan.io

SKILL.md:284

💰

Medium Wallet Address 加密货币钱包地址

3M219KR5vEneNb47ewrPfWyb5jQ2DjxRP6

references/chain/balance-trend.json:27

💰

Medium Wallet Address 加密货币钱包地址

34xp4vRoCGJym3xR7yCVPFHoCNxv4Twseo

references/chain/holders.json:52

🔗

Medium External URL 外部 URL

https://api.valuescan.io

script/sdk/vs_api_sign.js:11

📧

Info Email 邮箱地址

[email protected]

SKILL.md:18

File Tree

30 files · 105.9 KB · 2076 lines

JSON 27f · 1628L Markdown 2f · 329L JavaScript 1f · 119L

├─ ▾ 📁 references

│ ├─ ▾ 📁 ai

│ │ ├─ 📋 chance-coin-list.json JSON 129L · 8.7 KB

│ │ ├─ 📋 chance-coin-messages.json JSON 50L · 2.3 KB

│ │ ├─ 📋 funds-coin-list.json JSON 74L · 4.5 KB

│ │ ├─ 📋 funds-coin-messages.json JSON 44L · 2.4 KB

│ │ ├─ 📋 risk-coin-list.json JSON 104L · 6.2 KB

│ │ └─ 📋 risk-coin-messages.json JSON 50L · 2.3 KB

│ ├─ ▾ 📁 base

│ │ ├─ 📋 kline.json JSON 61L · 2.7 KB

│ │ ├─ 🔑 token-detail.json ⚠ JSON 90L · 4.8 KB

│ │ └─ 🔑 token-list.json ⚠ JSON 26L · 1.4 KB

│ ├─ ▾ 📁 category

│ │ ├─ 📋 category-list.json JSON 45L · 2.4 KB

│ │ └─ 🔑 category-tokens.json ⚠ JSON 43L · 2.3 KB

│ ├─ ▾ 📁 chain

│ │ ├─ 📋 balance-trend.json JSON 42L · 2.0 KB

│ │ ├─ 📋 hold-trend.json JSON 37L · 2.1 KB

│ │ ├─ 📋 holders.json JSON 71L · 3.4 KB

│ │ ├─ 📋 large-trade.json JSON 91L · 4.5 KB

│ │ ├─ 📋 profit-loss-trend.json JSON 36L · 2.0 KB

│ │ └─ 📋 trade-count-trend.json JSON 49L · 2.4 KB

│ ├─ ▾ 📁 fund

│ │ ├─ 📋 coin-flow.json JSON 50L · 2.6 KB

│ │ ├─ 📋 cost.json JSON 37L · 2.1 KB

│ │ ├─ 📋 fund-snapshot.json JSON 70L · 3.8 KB

│ │ ├─ 📋 marketcap-ratio.json JSON 44L · 2.2 KB

│ │ └─ 📋 realtime-fund.json JSON 77L · 4.8 KB

│ ├─ ▾ 📁 indicator

│ │ ├─ 📋 dense-area.json JSON 32L · 1.5 KB

│ │ ├─ 📋 price-market.json JSON 35L · 1.5 KB

│ │ └─ 📋 sentiment.json JSON 64L · 2.9 KB

│ └─ 📋 enums.json JSON 143L · 7.9 KB

├─ ▾ 📁 script

│ └─ ▾ 📁 sdk

│ ├─ 📝 README.md Markdown 44L · 1.1 KB

│ └─ 📜 vs_api_sign.js JavaScript 119L · 3.8 KB

├─ 📋 _meta.json JSON 34L · 1000 B

└─ 📝 SKILL.md Markdown 285L · 14.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`node (built-in)`	`16+`	runtime	No	No external dependencies — only Node.js built-in modules (crypto, fs, path, os, url, fetch)

Security Positives

✓ No shell execution, subprocess, or command injection vectors

✓ No base64 decoding, eval(), or dynamic code execution

✓ No curl|bash or wget|sh remote script execution

✓ No iteration over os.environ for credential harvesting

✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive paths

✓ Credentials declared in SKILL.md and used only for HMAC-SHA256 signing

✓ SDK uses only Node.js built-in modules (crypto, fs, path, os, url, fetch)

✓ All network requests restricted to declared base URL https://api.valuescan.io

✓ No external pip/npm dependencies — only standard library

✓ Comprehensive API documentation with all endpoints declared

✓ SKILL.md explicitly states credentials are not exfiltrated

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives