中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 45/100
上次扫描:1 天前 重新扫描
45 /100
polymarket-opportunities-scanning
Scan Polymarket prediction markets for book arbitrage opportunities, generate formatted report, deliver via Telegram and email
Skill declares only network:READ via public API, but actual code uses shell:WRITE (execSync/osascript) and filesystem:WRITE without disclosure in documentation.
技能名称polymarket-opportunities-scanning
分析耗时39.3s
引擎pi
谨慎使用
SKILL.md must be updated to declare shell execution, filesystem writes, and environment variable access. Consider if shell execution via execSync is necessary or if a safer alternative exists.

安全发现 4 项

严重性 安全发现 位置
高危
Shell execution undeclared in SKILL.md 文档欺骗
SKILL.md states 'No external API keys required' and implies only network:READ via public fetch. However, send-report.js uses execSync to spawn shell processes and osascript for AppleScript execution — shell:WRITE capability not disclosed.
execSync(`node ${join(__dirname, 'scanner.js')}`
→ Declare shell:WRITE in SKILL.md capabilities section if shell execution is necessary. Document what commands are executed.
 scripts/send-report.js:47
高危
osascript/AppleScript execution undeclared 文档欺骗
Email delivery via osascript is not mentioned in SKILL.md. This allows arbitrary macOS command execution through AppleScript, a significant attack vector if the .env is compromised or the script is modified.
execSync(`osascript -e '${escaped}'`
→ Document osascript usage or switch to a documented email library (nodemailer, sendgrid) if possible.
 scripts/send-report.js:55
中危
Filesystem write access not declared 文档欺骗
SKILL.md does not mention that scanner.js writes opportunities.json to disk. While legitimate for the use case, this filesystem:WRITE capability should be declared.
fs.writeFileSync(outputPath, JSON.stringify({...}))
→ Declare filesystem:WRITE in SKILL.md capabilities section.
 scripts/scanner.js:217
中危
.env loading not documented 文档欺骗
send-report.js loads configuration from .env file but this behavior is not mentioned in SKILL.md setup instructions (only references/setup.md).
for (const line of readFileSync(envPath, 'utf8').split(/\r?\n/))
→ Document .env file usage in SKILL.md setup section.
 scripts/send-report.js:15
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 scanner.js:13 fetches gamma-api.polymarket.com
命令执行 NONE WRITE ✗ 越权 send-report.js:47 execSync, send-report.js:55 osascript
文件系统 NONE WRITE ✗ 越权 scanner.js:217 fs.writeFileSync
环境变量 NONE READ ✗ 越权 send-report.js:15-24 .env loading
3 项发现
🔗
中危 外部 URL 外部 URL
https://polymarket.com/event/...
SKILL.md:65
🔗
中危 外部 URL 外部 URL
https://gamma-api.polymarket.com
scripts/scanner.js:12
🔗
中危 外部 URL 外部 URL
https://polymarket.com/event/$
scripts/scanner.js:151

目录结构

4 文件 · 18.5 KB · 551 行
JavaScript 2f · 372L Markdown 2f · 179L
├─ 📁 references
│ └─ 📝 setup.md Markdown 82L · 2.7 KB
├─ 📁 scripts
│ ├─ 📜 scanner.js JavaScript 237L · 7.9 KB
│ └─ 📜 send-report.js JavaScript 135L · 4.8 KB
└─ 📝 SKILL.md Markdown 97L · 3.1 KB

安全亮点

✓ Uses native fetch API, no external dependencies with known vulnerabilities
✓ No hardcoded credentials or API keys in source code
✓ No base64 obfuscation or suspicious encoding patterns
✓ Legitimate financial data analysis use case with plausible business justification
✓ Output file (opportunities.json) is local and not exfiltrated