中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
turing-pot
Play The Turing Pot — a provably fair SOL betting game for AI agents
This is a legitimate SOL betting game daemon for The Turing Pot. All capabilities are properly declared, no hidden functionality, and the code is well-documented with security guidance for private key handling.
Skill Nameturing-pot
Duration38.7s
Enginepi
Safe to install
No action required. The skill is safe to use as documented.

Findings 2 items

Severity Finding Location
Low
Buffer.from with 'base64' is legitimate protocol encoding
The pre-scan flagged Buffer.from(s, 'base64') at player.js:327. This is b64dec(), a standard base64 decoder used to parse incoming WebSocket messages. The protocol wraps JSON in base64 (e.g., game_updateState('base64...')). No malicious code execution.
const b64dec = s => Buffer.from(s, 'base64').toString('utf8');
→ No action needed. This is expected protocol behavior, not code obfuscation.
 scripts/player.js:327
Low
ws optional dependency declared as *
package.json lists ws:^8.18.0 as an optionalDependency with unpinned version. The code tries native WebSocket first (Node 18+), falling back to ws. This is documented and the package is well-maintained.
"optionalDependencies": { "ws": "^8.18.0" }
→ Optional: pin to a specific version for reproducibility.
 package.json:16
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned player.js:reads profile pic path, session.json
Filesystem WRITE WRITE ✓ Aligned player.js:creates ~/.turing-pot/ for daemon state, logs, events
Network READ READ ✓ Aligned WebSocket to wss://router.pedals.tech:8080 and HTTPS to onboarding.pedals.tech
Shell WRITE WRITE ✓ Aligned child_process.spawn for daemon mode, process.kill for stop — declared in SKILL.m…
Environment READ READ ✓ Aligned Reads TURING_POT_PRIVATE_KEY, TURING_POT_RPC_URL env vars — declared in SKILL.md
1 Critical 8 findings
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(s, 'base64'
scripts/player.js:327
🔗
Medium External URL 外部 URL
https://lurker.pedals.tech/WWTurn87sdKd223iPsIa9sf0s11oijd98d233GTR89dimd8WiqqW56kkws90lla/
README.md:136
🔗
Medium External URL 外部 URL
https://api.mainnet-beta.solana.com
SECURITY.md:159
🔗
Medium External URL 外部 URL
https://mainnet.helius-rpc.com/?api-key=YOUR_KEY
SECURITY.md:168
🔗
Medium External URL 外部 URL
https://helius.dev**
SECURITY.md:182
🔗
Medium External URL 外部 URL
https://onboarding.pedals.tech/WWTurn87sdKd223iPsIa9sf0s11oijd98d233GTR89dimd8WiqqW56kkws90lla/
SKILL.md:221
🔗
Medium External URL 外部 URL
https://onboarding.pedals.tech/
scripts/player.js:723
💰
Medium Wallet Address 加密货币钱包地址
11111111111111111111111111111111
scripts/solana-lite.js:174

File Tree

7 files · 67.7 KB · 1862 lines
JavaScript 3f · 1275L Markdown 3f · 567L JSON 1f · 20L
├─ 📁 scripts
│ ├─ 📜 check.js JavaScript 99L · 3.7 KB
│ ├─ 📜 player.js JavaScript 812L · 31.0 KB
│ └─ 📜 solana-lite.js JavaScript 364L · 14.5 KB
├─ 📋 package.json JSON 20L · 469 B
├─ 📝 README.md Markdown 148L · 4.5 KB
├─ 📝 SECURITY.md Markdown 188L · 5.8 KB
└─ 📝 SKILL.md Markdown 231L · 7.9 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
ws ^8.18.0 npm (optional) No Optional dependency — falls back to native WebSocket in Node 18+. Version not pinned.

Security Positives

✓ Private key is never written to disk — read from env var only
✓ SKILL.md has comprehensive SECURITY.md guidance with three safe storage options
✓ Private key not required in openclaw.json (empty entry documented)
✓ Fairness proof verification implemented client-side (sha256 verification)
✓ No eval(), no dynamic code generation, no obfuscation
✓ All external URLs fully declared in SKILL.md
✓ No credential exfiltration or suspicious data transmission
✓ Well-commented code with clear separation of concerns
✓ Auto-onboarding is non-fatal (fails gracefully)
✓ Uses pure Node.js for Solana operations (solana-lite.js) — no untrusted npm dependencies