中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 25/100
Last scan:1 day ago Rescan
25 /100
social-sentiment-monitor
Social media sentiment monitoring assistant for cryptocurrency - monitors Twitter, Reddit discussions, analyzes sentiment, and tracks trending topics.
This skill is a cryptocurrency social sentiment monitor with a legitimate billing integration. The primary security concern is a hardcoded API key in payment.py, but no malicious exfiltration or credential theft behavior was detected.
Skill Namesocial-sentiment-monitor
Duration46.5s
Enginepi
Safe to install
Remove the hardcoded BILLING_API_KEY from payment.py and use environment variable SKILLPAY_API_KEY instead. No other security concerns require immediate action.

Findings 2 items

Severity Finding Location
High
Hardcoded API Key in Source Code Credential Theft
BILLING_API_KEY is hardcoded as a string literal in payment.py:12. This exposes a potentially sensitive credential in source code. If this is a real API key, it could be harvested from the source and abused. The correct approach is to read it from an environment variable (SKILLPAY_API_KEY as declared in _meta.json).
BILLING_API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"
→ Replace hardcoded value with: BILLING_API_KEY = os.environ.get('SKILLPAY_API_KEY', '')
 payment.py:12
Low
API Configuration Template May Mislead Users Doc Mismatch
The references/api-configuration.md file contains example code with placeholder credentials like access_token="YOUR_ACCESS_TOKEN". While these are clearly placeholders, they could potentially confuse users or be accidentally used without proper configuration.
access_token="YOUR_ACCESS_TOKEN"
→ Use more prominent placeholder markers like '<YOUR_ACCESS_TOKEN>' to clearly indicate these are templates
 references/api-configuration.md:24
ResourceDeclaredInferredStatusEvidence
Network WRITE WRITE ✓ Aligned payment.py:25-45 makes POST/GET to skillpay.me for billing
Environment READ READ ✓ Aligned payment.py:72 reads SKILLPAY_USER_ID env var
Filesystem NONE NONE No filesystem access in scripts
Shell NONE NONE No shell execution detected
2 High 6 findings
🔑
High API Key 疑似硬编码凭证
API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"
payment.py:12
🔑
High API Key 疑似硬编码凭证
access_token="YOUR_ACCESS_TOKEN"
references/api-configuration.md:24
🔗
Medium External URL 外部 URL
https://skillpay.me
payment.py:11
🔗
Medium External URL 外部 URL
https://lunarcrush.com/api3
references/api-configuration.md:98
🔗
Medium External URL 外部 URL
https://api.santiment.net/graphql
references/api-configuration.md:132
🔗
Medium External URL 外部 URL
https://nitter.net/
references/api-configuration.md:210

File Tree

11 files · 86.8 KB · 2722 lines
Python 8f · 2190L Markdown 2f · 513L JSON 1f · 19L
├─ 📁 references
│ └─ 📝 api-configuration.md Markdown 223L · 4.2 KB
├─ 📁 scripts
│ ├─ 🐍 fud_detector.py Python 291L · 10.1 KB
│ ├─ 🐍 kol_monitor.py Python 364L · 12.4 KB
│ ├─ 🐍 sentiment_daemon.py Python 248L · 8.0 KB
│ ├─ 🐍 sentiment_report.py Python 271L · 9.2 KB
│ ├─ 🔑 token_sentiment.py Python 311L · 10.3 KB
│ ├─ 🐍 trending_topics.py Python 266L · 9.3 KB
│ └─ 🐍 viral_content.py Python 297L · 10.6 KB
├─ 📋 _meta.json JSON 19L · 445 B
├─ 🐍 payment.py Python 142L · 5.2 KB
└─ 📝 SKILL.md Markdown 290L · 7.0 KB

Dependencies 4 items

PackageVersionSourceKnown VulnsNotes
requests unspecified pip No Used for billing API calls; version not pinned
random stdlib python No Used for mock data generation
datetime stdlib python No Standard datetime operations
yaml unspecified pip No Used for config parsing in daemon

Security Positives

✓ Scripts only generate mock/simulated data - no actual network calls to Twitter, Reddit, or other APIs
✓ SKILL.md properly documents the SkillPay billing system
✓ _meta.json correctly declares payment requirements and environment variables
✓ No base64 encoding, obfuscation, or anti-analysis techniques detected
✓ No sensitive path access (~/.ssh, ~/.aws, .env files)
✓ No reverse shell, C2, or data exfiltration behavior
✓ No subprocess or shell command execution
✓ No hidden functionality or undocumented behaviors