social-sentiment-monitor 安全扫描报告 — 低风险 | ClawSafe

25 /100

social-sentiment-monitor

Social media sentiment monitoring assistant for cryptocurrency - monitors Twitter, Reddit discussions, analyzes sentiment, and tracks trending topics.

This skill is a cryptocurrency social sentiment monitor with a legitimate billing integration. The primary security concern is a hardcoded API key in payment.py, but no malicious exfiltration or credential theft behavior was detected.

技能名称social-sentiment-monitor

分析耗时46.5s

引擎pi

✓

可以安装

Remove the hardcoded BILLING_API_KEY from payment.py and use environment variable SKILLPAY_API_KEY instead. No other security concerns require immediate action.

安全发现 2 项

严重性	安全发现	位置
高危	Hardcoded API Key in Source Code 凭证窃取 BILLING_API_KEY is hardcoded as a string literal in payment.py:12. This exposes a potentially sensitive credential in source code. If this is a real API key, it could be harvested from the source and abused. The correct approach is to read it from an environment variable (SKILLPAY_API_KEY as declared in _meta.json). `BILLING_API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"` → Replace hardcoded value with: BILLING_API_KEY = os.environ.get('SKILLPAY_API_KEY', '')	`payment.py:12`
低危	API Configuration Template May Mislead Users 文档欺骗 The references/api-configuration.md file contains example code with placeholder credentials like access_token="YOUR_ACCESS_TOKEN". While these are clearly placeholders, they could potentially confuse users or be accidentally used without proper configuration. `access_token="YOUR_ACCESS_TOKEN"` → Use more prominent placeholder markers like '<YOUR_ACCESS_TOKEN>' to clearly indicate these are templates	`references/api-configuration.md:24`

资源类型	声明权限	推断权限	状态	证据
网络访问	`WRITE`	`WRITE`	✓ 一致	payment.py:25-45 makes POST/GET to skillpay.me for billing
环境变量	`READ`	`READ`	✓ 一致	payment.py:72 reads SKILLPAY_USER_ID env var
文件系统	`NONE`	`NONE`	—	No filesystem access in scripts
命令执行	`NONE`	`NONE`	—	No shell execution detected

2 高危 6 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"

payment.py:12

🔑

高危 API 密钥疑似硬编码凭证

access_token="YOUR_ACCESS_TOKEN"

references/api-configuration.md:24

🔗

中危外部 URL 外部 URL

https://skillpay.me

payment.py:11

🔗

中危外部 URL 外部 URL

https://lunarcrush.com/api3

references/api-configuration.md:98

🔗

中危外部 URL 外部 URL

https://api.santiment.net/graphql

references/api-configuration.md:132

🔗

中危外部 URL 外部 URL

https://nitter.net/

references/api-configuration.md:210

目录结构

11 文件 · 86.8 KB · 2722 行

Python 8f · 2190L Markdown 2f · 513L JSON 1f · 19L

├─ ▾ 📁 references

│ └─ 📝 api-configuration.md Markdown 223L · 4.2 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 fud_detector.py Python 291L · 10.1 KB

│ ├─ 🐍 kol_monitor.py Python 364L · 12.4 KB

│ ├─ 🐍 sentiment_daemon.py Python 248L · 8.0 KB

│ ├─ 🐍 sentiment_report.py Python 271L · 9.2 KB

│ ├─ 🔑 token_sentiment.py ⚠ Python 311L · 10.3 KB

│ ├─ 🐍 trending_topics.py Python 266L · 9.3 KB

│ └─ 🐍 viral_content.py Python 297L · 10.6 KB

├─ 📋 _meta.json JSON 19L · 445 B

├─ 🐍 payment.py Python 142L · 5.2 KB

└─ 📝 SKILL.md Markdown 290L · 7.0 KB

依赖分析 4 项

包名	版本	来源	已知漏洞	备注
`requests`	`unspecified`	pip	否	Used for billing API calls; version not pinned
`random`	`stdlib`	python	否	Used for mock data generation
`datetime`	`stdlib`	python	否	Standard datetime operations
`yaml`	`unspecified`	pip	否	Used for config parsing in daemon

安全亮点

✓ Scripts only generate mock/simulated data - no actual network calls to Twitter, Reddit, or other APIs

✓ SKILL.md properly documents the SkillPay billing system

✓ _meta.json correctly declares payment requirements and environment variables

✓ No base64 encoding, obfuscation, or anti-analysis techniques detected

✓ No sensitive path access (~/.ssh, ~/.aws, .env files)

✓ No reverse shell, C2, or data exfiltration behavior

✓ No subprocess or shell command execution

✓ No hidden functionality or undocumented behaviors