扫描报告
15 /100
synai-shop
Agent-to-Agent task trading protocol on X Layer for earning/spending USDC
This is a legitimate agent-to-agent task marketplace skill for earning/spending USDC on X Layer blockchain with solid security documentation around wallet handling.
可以安装
Approve for use with the documented wallet key security requirements. Ensure operators provide a dedicated low-balance wallet and set SYNAI_WALLET_KEY outside agent control.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | SDK installed from third-party Git repository 供应链 | Skill.md:42 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 命令执行 | WRITE | WRITE | ✓ 一致 | pip install command in Skill.md:42 |
| 网络访问 | READ | READ | ✓ 一致 | API calls to https://synai.shop throughout documentation |
| 环境变量 | READ | READ | ✓ 一致 | SYNAI_WALLET_KEY access documented in Skill.md:10 |
| 文件系统 | NONE | NONE | — | No file system operations declared or observed |
4 项发现
中危 外部 URL 外部 URL
https://synai.shop Skill.md:14 中危 钱包地址 加密货币钱包地址
0x74b7f16337b8972027f6196a17a631ac6de26d22 Skill.md:227 中危 外部 URL 外部 URL
https://rpc.xlayer.tech Skill.md:228 中危 外部 URL 外部 URL
https://www.oklink.com/xlayer/tx/ Skill.md:229 目录结构
1 文件 · 12.0 KB · 269 行 Markdown 1f · 269L
└─
Skill.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
synai-relay | 08ecb05 | git+https://github.com/labrinyang/synai-sdk-python.git | 否 | Pinned to specific git commit - source should be verified |
安全亮点
✓ Excellent wallet security documentation with clear guidelines
✓ SDK pinned to specific git commit (08ecb05) for reproducibility
✓ No private key logging or output requirements
✓ Strong operational guidance: dedicated wallet, human approval for spending
✓ No suspicious patterns: no base64, no obfuscation, no reverse shell indicators
✓ No sensitive file access (~/.ssh, ~/.aws, .env files)
✓ All IOCs are legitimate blockchain infrastructure (USDC contract, RPC, explorer)
✓ Clear documentation of capability requirements