synai-shop Security Report — Low Risk | ClawSafe

15 /100

synai-shop

Agent-to-Agent task trading protocol on X Layer for earning/spending USDC

This is a legitimate agent-to-agent task marketplace skill for earning/spending USDC on X Layer blockchain with solid security documentation around wallet handling.

Skill Namesynai-shop

Duration34.8s

Enginepi

✓

Safe to install

Approve for use with the documented wallet key security requirements. Ensure operators provide a dedicated low-balance wallet and set SYNAI_WALLET_KEY outside agent control.

Findings 1 items

Severity	Finding	Location
Low	SDK installed from third-party Git repository Supply Chain The skill instructs agents to pip install from github.com/labrinyang/synai-sdk-python.git. While pinned to commit hash 08ecb05, the source repository is not a well-known vendor. `pip install "synai-relay[all] @ git+https://github.com/labrinyang/synai-sdk-python.git@08ecb05"` → Verify the repository owner is trusted. Consider requesting the SDK be published to PyPI for additional trust chain.	`Skill.md:42`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	pip install command in Skill.md:42
Network	`READ`	`READ`	✓ Aligned	API calls to https://synai.shop throughout documentation
Environment	`READ`	`READ`	✓ Aligned	SYNAI_WALLET_KEY access documented in Skill.md:10
Filesystem	`NONE`	`NONE`	—	No file system operations declared or observed

4 findings

🔗

Medium External URL 外部 URL

https://synai.shop

Skill.md:14

💰

Medium Wallet Address 加密货币钱包地址

0x74b7f16337b8972027f6196a17a631ac6de26d22

Skill.md:227

🔗

Medium External URL 外部 URL

https://rpc.xlayer.tech

Skill.md:228

🔗

Medium External URL 外部 URL

https://www.oklink.com/xlayer/tx/

Skill.md:229

File Tree

1 files · 12.0 KB · 269 lines

Markdown 1f · 269L

└─ 📝 Skill.md Markdown 269L · 12.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`synai-relay`	`08ecb05`	git+https://github.com/labrinyang/synai-sdk-python.git	No	Pinned to specific git commit - source should be verified

Security Positives

✓ Excellent wallet security documentation with clear guidelines

✓ SDK pinned to specific git commit (08ecb05) for reproducibility

✓ No private key logging or output requirements

✓ Strong operational guidance: dedicated wallet, human approval for spending

✓ No suspicious patterns: no base64, no obfuscation, no reverse shell indicators

✓ No sensitive file access (~/.ssh, ~/.aws, .env files)

✓ All IOCs are legitimate blockchain infrastructure (USDC contract, RPC, explorer)

✓ Clear documentation of capability requirements

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives