中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 38/100
上次扫描:2 天前 重新扫描
38 /100
odds-movement-monitor
盘口变化监控助手 - 实时监控体育博彩盘口变化
Hardcoded billing API key in payment.py, undisclosed payment integration, and misleading SKILL.md file references raise concerns despite no confirmed malicious behavior.
技能名称odds-movement-monitor
分析耗时40.4s
引擎pi
谨慎使用
Remove hardcoded API key from source code and declare payment behavior in SKILL.md. The billing mechanism appears legitimate but lacks transparency.

安全发现 5 项

严重性 安全发现 位置
高危
Hardcoded Billing API Key
A billing API key is hardcoded in payment.py source code. While this appears to be a legitimate SkillPay service key rather than a credential for malicious activity, hardcoding secrets in source code is a serious security practice violation.
BILLING_API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"
→ Move API key to environment variable or secure config management
 payment.py:12
中危
Undisclosed Payment Collection
The skill implements a payment collection system (SkillPay) that automatically charges users 0.01 USDT per invocation. This behavior is not mentioned in SKILL.md, only in _meta.json's metadata section.
# SkillPay Billing Integration
→ Clearly disclose payment behavior in SKILL.md's core capabilities section
 payment.py:1
中危
SKILL.md References Non-Existent Files
The file structure section in SKILL.md lists odds_fetcher.py, alert_manager.py, and data_storage.py, which do not exist in the package.
├── odds_fetcher.py         # 数据获取模块
├── alert_manager.py        # 预警管理
└── data_storage.py         # 数据存储
→ Update SKILL.md to match actual file structure or remove file structure section
 SKILL.md:107
低危
Platform-Specific Path Reference
demo.py contains a hardcoded path to '~/.openclaw/workspace/skills/odds-movement-monitor', referencing a specific AI agent platform structure.
sys.path.insert(0, '~/.openclaw/workspace/skills/odds-movement-monitor')
→ Use relative imports or platform-agnostic path handling
 demo.py:6
低危
Environment Variable Credential Access
The skill reads from multiple environment variables (ODDS_API_KEY, SKILLPAY_USER_ID, SKILLPAY_API_KEY) without declaring this in SKILL.md
self.api_key = api_key or os.getenv("ODDS_API_KEY")
→ Document required environment variables in SKILL.md
 monitor.py, payment.py:148
资源类型声明权限推断权限状态证据
文件系统 NONE WRITE ✓ 一致 monitor.py:67 - sqlite3.connect() creates local DB
网络访问 READ READ+WRITE ✓ 一致 payment.py:34 - POSTs to skillpay.me
环境变量 NONE READ ✗ 越权 payment.py:99 - os.environ.get('SKILLPAY_USER_ID')
命令执行 NONE NONE
数据库 NONE WRITE ✓ 一致 monitor.py:67-113 - SQLite database operations
2 高危 5 项发现
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY="your_api_key_here"
README.md:24
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"
payment.py:12
🔗
中危 外部 URL 外部 URL
https://the-odds-api.com/
README.md:27
🔗
中危 外部 URL 外部 URL
https://api.the-odds-api.com/v4
config.json:15
🔗
中危 外部 URL 外部 URL
https://skillpay.me
payment.py:11

目录结构

10 文件 · 55.1 KB · 1719 行
Python 5f · 1432L Markdown 2f · 217L JSON 2f · 68L Text 1f · 2L
├─ 🐍 __init__.py Python 26L · 555 B
├─ 📋 _meta.json JSON 19L · 442 B
├─ 🐍 change_detector.py Python 444L · 15.0 KB
├─ 🔑 config.json JSON 49L · 1.5 KB
├─ 🐍 demo.py Python 223L · 7.7 KB
├─ 🐍 monitor.py Python 597L · 19.5 KB
├─ 🐍 payment.py Python 142L · 5.2 KB
├─ 📝 README.md Markdown 91L · 1.8 KB
├─ 📄 requirements.txt Text 2L · 32 B
└─ 📝 SKILL.md Markdown 126L · 3.4 KB

依赖分析 2 项

包名版本来源已知漏洞备注
aiohttp >=3.8.0 pip Version not pinned
requests >=2.28.0 pip Version not pinned

安全亮点

✓ No shell command execution or subprocess usage found
✓ No base64-encoded payloads or obfuscated code detected
✓ No credential harvesting targeting sensitive paths (~/.ssh, ~/.aws, etc.)
✓ No data exfiltration mechanisms beyond declared network calls
✓ No reverse shell, C2, or reverse engineering behavior
✓ Database operations are local SQLite for legitimate data storage
✓ Network calls are to declared, legitimate APIs (the-odds-api.com, skillpay.me)