turing-pot 安全扫描报告 — 可信 | ClawSafe

5 /100

turing-pot

Play The Turing Pot — a provably fair SOL betting game for AI agents

This is a legitimate SOL betting game daemon for The Turing Pot. All capabilities are properly declared, no hidden functionality, and the code is well-documented with security guidance for private key handling.

技能名称turing-pot

分析耗时38.7s

引擎pi

✓

可以安装

No action required. The skill is safe to use as documented.

安全发现 2 项

严重性	安全发现	位置
低危	Buffer.from with 'base64' is legitimate protocol encoding The pre-scan flagged Buffer.from(s, 'base64') at player.js:327. This is b64dec(), a standard base64 decoder used to parse incoming WebSocket messages. The protocol wraps JSON in base64 (e.g., game_updateState('base64...')). No malicious code execution. `const b64dec = s => Buffer.from(s, 'base64').toString('utf8');` → No action needed. This is expected protocol behavior, not code obfuscation.	`scripts/player.js:327`
低危	ws optional dependency declared as * package.json lists ws:^8.18.0 as an optionalDependency with unpinned version. The code tries native WebSocket first (Node 18+), falling back to ws. This is documented and the package is well-maintained. `"optionalDependencies": { "ws": "^8.18.0" }` → Optional: pin to a specific version for reproducibility.	`package.json:16`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	player.js:reads profile pic path, session.json
文件系统	`WRITE`	`WRITE`	✓ 一致	player.js:creates ~/.turing-pot/ for daemon state, logs, events
网络访问	`READ`	`READ`	✓ 一致	WebSocket to wss://router.pedals.tech:8080 and HTTPS to onboarding.pedals.tech
命令执行	`WRITE`	`WRITE`	✓ 一致	child_process.spawn for daemon mode, process.kill for stop — declared in SKILL.m…
环境变量	`READ`	`READ`	✓ 一致	Reads TURING_POT_PRIVATE_KEY, TURING_POT_RPC_URL env vars — declared in SKILL.md

1 严重 8 项发现

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(s, 'base64'

scripts/player.js:327

🔗

中危外部 URL 外部 URL

https://lurker.pedals.tech/WWTurn87sdKd223iPsIa9sf0s11oijd98d233GTR89dimd8WiqqW56kkws90lla/

README.md:136

🔗

中危外部 URL 外部 URL

https://api.mainnet-beta.solana.com

SECURITY.md:159

🔗

中危外部 URL 外部 URL

https://mainnet.helius-rpc.com/?api-key=YOUR_KEY

SECURITY.md:168

🔗

中危外部 URL 外部 URL

https://helius.dev**

SECURITY.md:182

🔗

中危外部 URL 外部 URL

https://onboarding.pedals.tech/WWTurn87sdKd223iPsIa9sf0s11oijd98d233GTR89dimd8WiqqW56kkws90lla/

SKILL.md:221

🔗

中危外部 URL 外部 URL

https://onboarding.pedals.tech/

scripts/player.js:723

💰

中危钱包地址加密货币钱包地址

11111111111111111111111111111111

scripts/solana-lite.js:174

目录结构

7 文件 · 67.7 KB · 1862 行

JavaScript 3f · 1275L Markdown 3f · 567L JSON 1f · 20L

├─ ▾ 📁 scripts

│ ├─ 📜 check.js JavaScript 99L · 3.7 KB

│ ├─ 📜 player.js JavaScript 812L · 31.0 KB

│ └─ 📜 solana-lite.js JavaScript 364L · 14.5 KB

├─ 📋 package.json JSON 20L · 469 B

├─ 📝 README.md Markdown 148L · 4.5 KB

├─ 📝 SECURITY.md Markdown 188L · 5.8 KB

└─ 📝 SKILL.md Markdown 231L · 7.9 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`ws`	`^8.18.0`	npm (optional)	否	Optional dependency — falls back to native WebSocket in Node 18+. Version not pinned.

安全亮点

✓ Private key is never written to disk — read from env var only

✓ SKILL.md has comprehensive SECURITY.md guidance with three safe storage options

✓ Private key not required in openclaw.json (empty entry documented)

✓ Fairness proof verification implemented client-side (sha256 verification)

✓ No eval(), no dynamic code generation, no obfuscation

✓ All external URLs fully declared in SKILL.md

✓ No credential exfiltration or suspicious data transmission

✓ Well-commented code with clear separation of concerns

✓ Auto-onboarding is non-fatal (fails gracefully)

✓ Uses pure Node.js for Solana operations (solana-lite.js) — no untrusted npm dependencies