中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
valuescan-skill
ValueScan 加密货币主力资金流分析工具。支持资金异动监控、主力动向追踪、鲸鱼地址分析、板块轮动、机会/风险代币识别、大户成本分析。
ValueScan cryptocurrency analysis skill with legitimate API wrapper behavior — all capabilities declared, credentials used only for HMAC signing, no shell execution, no exfiltration.
技能名称valuescan-skill
分析耗时48.3s
引擎pi
可以安装
No action needed. Skill is safe for deployment.

安全发现 2 项

严重性 安全发现 位置
提示
Reference files marked sensitive are example data only
references/base/token-detail.json, token-list.json, and category-tokens.json are flagged sensitive by pre-scan but contain only API schema definitions and example response data. No actual credentials or private keys are present.
example response with symbol=BTC, name=Bitcoin
→ No action needed — these are expected reference files for API documentation
 references/base/token-detail.json:1
提示
IOCs are all legitimate vendor resources
All URLs resolve to valuescan.ai domains; crypto wallet addresses are example data in reference files (standard practice for API documentation); support email is for the legitimate vendor.
https://api.valuescan.io, https://www.valuescan.ai, [email protected]
→ No action needed — all IOCs are legitimate vendor endpoints
 SKILL.md:1
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 script/sdk/vs_api_sign.js:20 reads ~/.openclaw/credentials/valuescan.json
网络访问 READ READ ✓ 一致 script/sdk/vs_api_sign.js:54-60 sends POST requests only to https://api.valuesca…
命令执行 NONE NONE No subprocess, exec, or shell command invocations found in any file
环境变量 NONE NONE No iteration over process.env or os.environ for secrets
凭证 READ READ ✓ 一致 SKILL.md declares api_key and secret_key; used solely for HMAC-SHA256 request si…
8 项发现
🔗
中危 外部 URL 外部 URL
https://www.valuescan.ai
SKILL.md:8
🔗
中危 外部 URL 外部 URL
https://api.valuescan.io/api/open/v1
SKILL.md:158
🔗
中危 外部 URL 外部 URL
https://www.valuescan.ai/dev-portal/home/
SKILL.md:170
🔗
中危 外部 URL 外部 URL
https://claw.valuescan.io
SKILL.md:284
💰
中危 钱包地址 加密货币钱包地址
3M219KR5vEneNb47ewrPfWyb5jQ2DjxRP6
references/chain/balance-trend.json:27
💰
中危 钱包地址 加密货币钱包地址
34xp4vRoCGJym3xR7yCVPFHoCNxv4Twseo
references/chain/holders.json:52
🔗
中危 外部 URL 外部 URL
https://api.valuescan.io
script/sdk/vs_api_sign.js:11
📧
提示 邮箱 邮箱地址
[email protected]
SKILL.md:18

目录结构

30 文件 · 105.9 KB · 2076 行
JSON 27f · 1628L Markdown 2f · 329L JavaScript 1f · 119L
├─ 📁 references
│ ├─ 📁 ai
│ │ ├─ 📋 chance-coin-list.json JSON 129L · 8.7 KB
│ │ ├─ 📋 chance-coin-messages.json JSON 50L · 2.3 KB
│ │ ├─ 📋 funds-coin-list.json JSON 74L · 4.5 KB
│ │ ├─ 📋 funds-coin-messages.json JSON 44L · 2.4 KB
│ │ ├─ 📋 risk-coin-list.json JSON 104L · 6.2 KB
│ │ └─ 📋 risk-coin-messages.json JSON 50L · 2.3 KB
│ ├─ 📁 base
│ │ ├─ 📋 kline.json JSON 61L · 2.7 KB
│ │ ├─ 🔑 token-detail.json JSON 90L · 4.8 KB
│ │ └─ 🔑 token-list.json JSON 26L · 1.4 KB
│ ├─ 📁 category
│ │ ├─ 📋 category-list.json JSON 45L · 2.4 KB
│ │ └─ 🔑 category-tokens.json JSON 43L · 2.3 KB
│ ├─ 📁 chain
│ │ ├─ 📋 balance-trend.json JSON 42L · 2.0 KB
│ │ ├─ 📋 hold-trend.json JSON 37L · 2.1 KB
│ │ ├─ 📋 holders.json JSON 71L · 3.4 KB
│ │ ├─ 📋 large-trade.json JSON 91L · 4.5 KB
│ │ ├─ 📋 profit-loss-trend.json JSON 36L · 2.0 KB
│ │ └─ 📋 trade-count-trend.json JSON 49L · 2.4 KB
│ ├─ 📁 fund
│ │ ├─ 📋 coin-flow.json JSON 50L · 2.6 KB
│ │ ├─ 📋 cost.json JSON 37L · 2.1 KB
│ │ ├─ 📋 fund-snapshot.json JSON 70L · 3.8 KB
│ │ ├─ 📋 marketcap-ratio.json JSON 44L · 2.2 KB
│ │ └─ 📋 realtime-fund.json JSON 77L · 4.8 KB
│ ├─ 📁 indicator
│ │ ├─ 📋 dense-area.json JSON 32L · 1.5 KB
│ │ ├─ 📋 price-market.json JSON 35L · 1.5 KB
│ │ └─ 📋 sentiment.json JSON 64L · 2.9 KB
│ └─ 📋 enums.json JSON 143L · 7.9 KB
├─ 📁 script
│ └─ 📁 sdk
│ ├─ 📝 README.md Markdown 44L · 1.1 KB
│ └─ 📜 vs_api_sign.js JavaScript 119L · 3.8 KB
├─ 📋 _meta.json JSON 34L · 1000 B
└─ 📝 SKILL.md Markdown 285L · 14.4 KB

依赖分析 1 项

包名版本来源已知漏洞备注
node (built-in) 16+ runtime No external dependencies — only Node.js built-in modules (crypto, fs, path, os, url, fetch)

安全亮点

✓ No shell execution, subprocess, or command injection vectors
✓ No base64 decoding, eval(), or dynamic code execution
✓ No curl|bash or wget|sh remote script execution
✓ No iteration over os.environ for credential harvesting
✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive paths
✓ Credentials declared in SKILL.md and used only for HMAC-SHA256 signing
✓ SDK uses only Node.js built-in modules (crypto, fs, path, os, url, fetch)
✓ All network requests restricted to declared base URL https://api.valuescan.io
✓ No external pip/npm dependencies — only standard library
✓ Comprehensive API documentation with all endpoints declared
✓ SKILL.md explicitly states credentials are not exfiltrated