Skill Trust Decision

whale-alert-monitor

Name: whale-alert-monitor Trust Review Report
Item: whale-alert-monitor
Rating: 45
Author: ClawSafe

发现未声明的计费阴影功能（payment.py）和硬编码API密钥，且所有链上监控功能使用模拟数据而非真实API调用。

Install decision first Source: ClawHub Scanned: Apr 9, 2026

Files 12

Artifacts 24

Violations 2

Findings 5

Most direct threat evidence

High Credential Theft

硬编码API密钥

BILLING_API_KEY以明文形式存储在源代码payment.py第12行，这是严重的安全缺陷

payment.py:12

Why this conclusion was reached

3/4 dimensions flagged

Block

Declared vs actual capability

2 undeclared or violating capabilities were inferred.

Block

Hidden execution and egress

1 high-risk artifacts or egress signals were extracted.

Block

Attack chain and severe findings

The report includes 0 attack-chain steps and 2 severe findings.

Review

Dependencies and supply chain hygiene

Dependency information is incomplete, so supply-chain confidence stays limited.

What drove the risk score up

未声明的计费功能 +20

payment.py实现付费墙但SKILL.md未提及

硬编码API密钥 +25

BILLING_API_KEY明文存储在payment.py:12

虚假链上数据 +10

所有脚本使用random生成假数据而非真实API调用

Most important evidence

High Credential Theft

硬编码API密钥

BILLING_API_KEY以明文形式存储在源代码payment.py第12行，这是严重的安全缺陷

payment.py:12

使用环境变量存储敏感凭证

High Doc Mismatch

未声明的计费阴影功能

payment.py实现了完整的付费验证系统(verify_payment/require_payment)，但SKILL.md完全未提及此功能的存在

payment.py:95

在SKILL.md中明确声明计费机制

Medium Supply Chain

依赖无版本锁定

未发现requirements.txt或依赖声明文件，依赖管理不可追溯

N/A

添加requirements.txt并锁定依赖版本

Medium Doc Mismatch

虚假链上数据功能

whale_tracker.py/transfer_monitor.py/exchange_flow.py等脚本声称监控链上活动，但实际使用random模块生成完全虚假的数据

scripts/whale_tracker.py:85

使用真实API(Etherscan/Alchemy)或明确标注为演示模式

Low Sensitive Access

未声明的环境变量读取

代码读取TELEGRAM_BOT_TOKEN、DISCORD_WEBHOOK_URL等环境变量但SKILL.md未声明

scripts/alert_manager.py:135

在SKILL.md中声明所需环境变量

Declared capability vs actual capability

Network Block

Declared NONE

→

Inferred READ

payment.py:26 连接到skillpay.me但未声明

Environment Block

Declared NONE

→

Inferred READ

payment.py:103 读取SKILLPAY_USER_ID

Suspicious artifacts and egress

High API Key

API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"

payment.py:12

Medium Wallet Address

0x742d35Cc6634C0532925a3b8D4E6D3b6e8d3e8D3

README.md:77

Medium Wallet Address

0x3f5CE5FBFe3E9af3971dD833D26bA9b5C936f0bE

README.md:95

Medium Wallet Address

0x71660c4005BA85c37ccec55d0C4493E66Fe775d3

README.md:100

Medium External URL

https://skillpay.me

payment.py:11

Medium External URL

https://api.etherscan.io/api

references/api-configuration.md:8

Medium External URL

https://eth-mainnet.g.alchemy.com/v2/

references/api-configuration.md:54

Medium External URL

https://deep-index.moralis.io/api/v2/

references/api-configuration.md:89

Medium External URL

https://eth-mainnet.g.alchemy.com/v2/KEY

references/api-configuration.md:112

Medium External URL

https://eth-mainnet.g.alchemy.com/v2/$

references/api-configuration.md:137

Medium External URL

https://etherscan.io

references/api-configuration.md:138

Medium External URL

https://bsc-dataseed.binance.org

references/api-configuration.md:142

Dependencies and supply chain

There are no structured dependency warnings.

File composition

12 files · 2728 lines

Python 7 files · 1864 linesMarkdown 4 files · 843 linesJSON 1 files · 21 lines

Files of concern · 6

scripts/alert_manager.py Python · 303 lines

未声明的环境变量读取 · https://api.telegram.org/bot

scripts/whale_tracker.py Python · 279 lines

虚假链上数据功能

README.md Markdown · 286 lines

0x742d35Cc6634C0532925a3b8D4E6D3b6e8d3e8D3 · 0x3f5CE5FBFe3E9af3971dD833D26bA9b5C936f0bE · 0x71660c4005BA85c37ccec55d0C4493E66Fe775d3

payment.py Python · 142 lines

硬编码API密钥 · 未声明的计费阴影功能 · API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2" · https://skillpay.me

references/api-configuration.md Markdown · 181 lines

https://api.etherscan.io/api · https://eth-mainnet.g.alchemy.com/v2/ · https://deep-index.moralis.io/api/v2/ · https://eth-mainnet.g.alchemy.com/v2/KEY · https://eth-mainnet.g.alchemy.com/v2/$ · https://etherscan.io · https://bsc-dataseed.binance.org · https://bscscan.com · https://arb-mainnet.g.alchemy.com/v2/$ · https://arbiscan.io · https://opt-mainnet.g.alchemy.com/v2/$ · https://optimistic.etherscan.io

references/wallet-labels.md Markdown · 90 lines

0xdB3c617cDd2fBf0c8611C04A49d34C7B332e2BB6 · 0x5a52E96BAcdaBb82fd05763E25335261B270Efcb · 0x503828976D22510aad0201ac7EC88293211D23Da · 0x6b75d8AF000000e20B7a7DD000000090D0000000 · 0xf89d7b9c864f589bbF53f821d7EfC68c91d70958 · 0x2B6eD29a95753C3Ad948348e3e7b1A251039FBB9

Other files · exchange_flow.py · transfer_monitor.py · holding_analyzer.py · monitor_daemon.py · SKILL.md · _meta.json

Security positives

无远程代码执行(RCE)风险

无明显的凭证收割外传行为

无base64编码或混淆代码

代码结构清晰，注释完整