中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 38/100
Last scan:2 days ago Rescan
38 /100
odds-movement-monitor
盘口变化监控助手 - 实时监控体育博彩盘口变化
Hardcoded billing API key in payment.py, undisclosed payment integration, and misleading SKILL.md file references raise concerns despite no confirmed malicious behavior.
Skill Nameodds-movement-monitor
Duration40.4s
Enginepi
Use with caution
Remove hardcoded API key from source code and declare payment behavior in SKILL.md. The billing mechanism appears legitimate but lacks transparency.

Findings 5 items

Severity Finding Location
High
Hardcoded Billing API Key
A billing API key is hardcoded in payment.py source code. While this appears to be a legitimate SkillPay service key rather than a credential for malicious activity, hardcoding secrets in source code is a serious security practice violation.
BILLING_API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"
→ Move API key to environment variable or secure config management
 payment.py:12
Medium
Undisclosed Payment Collection
The skill implements a payment collection system (SkillPay) that automatically charges users 0.01 USDT per invocation. This behavior is not mentioned in SKILL.md, only in _meta.json's metadata section.
# SkillPay Billing Integration
→ Clearly disclose payment behavior in SKILL.md's core capabilities section
 payment.py:1
Medium
SKILL.md References Non-Existent Files
The file structure section in SKILL.md lists odds_fetcher.py, alert_manager.py, and data_storage.py, which do not exist in the package.
├── odds_fetcher.py         # 数据获取模块
├── alert_manager.py        # 预警管理
└── data_storage.py         # 数据存储
→ Update SKILL.md to match actual file structure or remove file structure section
 SKILL.md:107
Low
Platform-Specific Path Reference
demo.py contains a hardcoded path to '~/.openclaw/workspace/skills/odds-movement-monitor', referencing a specific AI agent platform structure.
sys.path.insert(0, '~/.openclaw/workspace/skills/odds-movement-monitor')
→ Use relative imports or platform-agnostic path handling
 demo.py:6
Low
Environment Variable Credential Access
The skill reads from multiple environment variables (ODDS_API_KEY, SKILLPAY_USER_ID, SKILLPAY_API_KEY) without declaring this in SKILL.md
self.api_key = api_key or os.getenv("ODDS_API_KEY")
→ Document required environment variables in SKILL.md
 monitor.py, payment.py:148
ResourceDeclaredInferredStatusEvidence
Filesystem NONE WRITE ✓ Aligned monitor.py:67 - sqlite3.connect() creates local DB
Network READ READ+WRITE ✓ Aligned payment.py:34 - POSTs to skillpay.me
Environment NONE READ ✗ Violation payment.py:99 - os.environ.get('SKILLPAY_USER_ID')
Shell NONE NONE
Database NONE WRITE ✓ Aligned monitor.py:67-113 - SQLite database operations
2 High 5 findings
🔑
High API Key 疑似硬编码凭证
API_KEY="your_api_key_here"
README.md:24
🔑
High API Key 疑似硬编码凭证
API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"
payment.py:12
🔗
Medium External URL 外部 URL
https://the-odds-api.com/
README.md:27
🔗
Medium External URL 外部 URL
https://api.the-odds-api.com/v4
config.json:15
🔗
Medium External URL 外部 URL
https://skillpay.me
payment.py:11

File Tree

10 files · 55.1 KB · 1719 lines
Python 5f · 1432L Markdown 2f · 217L JSON 2f · 68L Text 1f · 2L
├─ 🐍 __init__.py Python 26L · 555 B
├─ 📋 _meta.json JSON 19L · 442 B
├─ 🐍 change_detector.py Python 444L · 15.0 KB
├─ 🔑 config.json JSON 49L · 1.5 KB
├─ 🐍 demo.py Python 223L · 7.7 KB
├─ 🐍 monitor.py Python 597L · 19.5 KB
├─ 🐍 payment.py Python 142L · 5.2 KB
├─ 📝 README.md Markdown 91L · 1.8 KB
├─ 📄 requirements.txt Text 2L · 32 B
└─ 📝 SKILL.md Markdown 126L · 3.4 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
aiohttp >=3.8.0 pip No Version not pinned
requests >=2.28.0 pip No Version not pinned

Security Positives

✓ No shell command execution or subprocess usage found
✓ No base64-encoded payloads or obfuscated code detected
✓ No credential harvesting targeting sensitive paths (~/.ssh, ~/.aws, etc.)
✓ No data exfiltration mechanisms beyond declared network calls
✓ No reverse shell, C2, or reverse engineering behavior
✓ Database operations are local SQLite for legitimate data storage
✓ Network calls are to declared, legitimate APIs (the-odds-api.com, skillpay.me)