中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 45/100
Last scan:1 day ago Rescan
45 /100
polymarket-opportunities-scanning
Scan Polymarket prediction markets for book arbitrage opportunities, generate formatted report, deliver via Telegram and email
Skill declares only network:READ via public API, but actual code uses shell:WRITE (execSync/osascript) and filesystem:WRITE without disclosure in documentation.
Skill Namepolymarket-opportunities-scanning
Duration39.3s
Enginepi
Use with caution
SKILL.md must be updated to declare shell execution, filesystem writes, and environment variable access. Consider if shell execution via execSync is necessary or if a safer alternative exists.

Findings 4 items

Severity Finding Location
High
Shell execution undeclared in SKILL.md Doc Mismatch
SKILL.md states 'No external API keys required' and implies only network:READ via public fetch. However, send-report.js uses execSync to spawn shell processes and osascript for AppleScript execution — shell:WRITE capability not disclosed.
execSync(`node ${join(__dirname, 'scanner.js')}`
→ Declare shell:WRITE in SKILL.md capabilities section if shell execution is necessary. Document what commands are executed.
 scripts/send-report.js:47
High
osascript/AppleScript execution undeclared Doc Mismatch
Email delivery via osascript is not mentioned in SKILL.md. This allows arbitrary macOS command execution through AppleScript, a significant attack vector if the .env is compromised or the script is modified.
execSync(`osascript -e '${escaped}'`
→ Document osascript usage or switch to a documented email library (nodemailer, sendgrid) if possible.
 scripts/send-report.js:55
Medium
Filesystem write access not declared Doc Mismatch
SKILL.md does not mention that scanner.js writes opportunities.json to disk. While legitimate for the use case, this filesystem:WRITE capability should be declared.
fs.writeFileSync(outputPath, JSON.stringify({...}))
→ Declare filesystem:WRITE in SKILL.md capabilities section.
 scripts/scanner.js:217
Medium
.env loading not documented Doc Mismatch
send-report.js loads configuration from .env file but this behavior is not mentioned in SKILL.md setup instructions (only references/setup.md).
for (const line of readFileSync(envPath, 'utf8').split(/\r?\n/))
→ Document .env file usage in SKILL.md setup section.
 scripts/send-report.js:15
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned scanner.js:13 fetches gamma-api.polymarket.com
Shell NONE WRITE ✗ Violation send-report.js:47 execSync, send-report.js:55 osascript
Filesystem NONE WRITE ✗ Violation scanner.js:217 fs.writeFileSync
Environment NONE READ ✗ Violation send-report.js:15-24 .env loading
3 findings
🔗
Medium External URL 外部 URL
https://polymarket.com/event/...
SKILL.md:65
🔗
Medium External URL 外部 URL
https://gamma-api.polymarket.com
scripts/scanner.js:12
🔗
Medium External URL 外部 URL
https://polymarket.com/event/$
scripts/scanner.js:151

File Tree

4 files · 18.5 KB · 551 lines
JavaScript 2f · 372L Markdown 2f · 179L
├─ 📁 references
│ └─ 📝 setup.md Markdown 82L · 2.7 KB
├─ 📁 scripts
│ ├─ 📜 scanner.js JavaScript 237L · 7.9 KB
│ └─ 📜 send-report.js JavaScript 135L · 4.8 KB
└─ 📝 SKILL.md Markdown 97L · 3.1 KB

Security Positives

✓ Uses native fetch API, no external dependencies with known vulnerabilities
✓ No hardcoded credentials or API keys in source code
✓ No base64 obfuscation or suspicious encoding patterns
✓ Legitimate financial data analysis use case with plausible business justification
✓ Output file (opportunities.json) is local and not exfiltrated