dex-arbitrage Security Report — Suspicious | ClawSafe

55 /100

dex-arbitrage

DEX搬砖套利助手 — DEX arbitrage assistant for finding cross-DEX price differences, calculating profits, and generating flash loan strategies

Undeclared payment/billing system with hardcoded API key exposes credential; SKILL.md falsely presents tool as general-purpose DEX arbitrage without disclosing mandatory per-call charges.

Skill Namedex-arbitrage

Duration44.8s

Enginepi

⚠

Use with caution

Remove hardcoded API key from source code (use environment variable instead); add explicit payment/billing disclosure to SKILL.md; audit data flows to skillpay.me endpoint.

Findings 4 items

Severity	Finding	Location
High	Undeclared mandatory payment/billing system Doc Mismatch SKILL.md describes a free DEX arbitrage assistant but payment.py silently implements a mandatory billing system charging 0.01 USDT per invocation. Users are unaware they will be charged. The _meta.json declares pricing but SKILL.md never mentions it. `SkillPay Billing Integration / 自动集成付费验证功能` → Add prominent billing disclosure in SKILL.md including pricing (0.01 USDT/call), payment provider (skillpay.me), and required environment variables (SKILLPAY_USER_ID, SKILLPAY_API_KEY)	`payment.py:1`
High	Hardcoded API key exposed in source code Credential Theft BILLING_API_KEY = 'sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2' is hardcoded at payment.py:12. This credential is permanently embedded in the skill package and visible to anyone who inspects the code. `BILLING_API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"` → Move BILLING_API_KEY to an environment variable (SKILLPAY_API_KEY as noted in _meta.json), never hardcode credentials in source files	`payment.py:12`
Medium	Missing allowed-tools declaration Doc Mismatch SKILL.md declares no allowed-tools. The skill performs network requests (to skillpay.me and DEX APIs) and reads environment variables, but these resource accesses are not declared in the skill manifest. `SKILL.md header has no allowed-tools section` → Add allowed-tools declaration to SKILL.md: network:READ for DEX API calls, environment:READ for SKILLPAY_USER_ID	`SKILL.md:1`
Low	User ID transmitted to external endpoint Data Exfil verify_payment() reads SKILLPAY_USER_ID from environment and sends it to skillpay.me/api/v1/billing/* endpoints. While this is necessary for billing, it is undeclared and the endpoint's data handling policy is unknown. `user_id = os.environ.get("SKILLPAY_USER_ID", "anonymous_user")` → Document what data is sent to skillpay.me, provide privacy policy link, and consider making the endpoint configurable	`payment.py:99`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file writes in code; scripts are generators/calculators only
Network	`NONE`	`READ`	✗ Violation	payment.py:27-30 sends POST to skillpay.me; price_monitor.py:43-49 fetches DEX p…
Shell	`NONE`	`NONE`	—	No subprocess/shell execution found
Environment	`NONE`	`READ`	✗ Violation	payment.py:99 reads SKILLPAY_USER_ID from os.environ without declaration

1 High 51 findings

🔑

High API Key 疑似硬编码凭证

API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"

payment.py:12

🔗

Medium External URL 外部 URL

https://skillpay.me

payment.py:11

🔗

Medium External URL 外部 URL

https://dexscreener.com/

references/arbitrage-tools.md:7

🔗

Medium External URL 外部 URL

https://www.coingecko.com/

references/arbitrage-tools.md:25

🔗

Medium External URL 外部 URL

https://api.coingecko.com/api/v3/simple/price?ids=

references/arbitrage-tools.md:32

🔗

Medium External URL 外部 URL

https://portal.1inch.dev/

references/arbitrage-tools.md:47

🔗

Medium External URL 外部 URL

https://api.1inch.dev/swap/v5.2/1/quote?

references/arbitrage-tools.md:58

🔗

Medium External URL 外部 URL

https://eth.llamarpc.com

references/arbitrage-tools.md:99

🔗

Medium External URL 外部 URL

https://api.0x.org/swap/v1/quote?

references/arbitrage-tools.md:144

🔗

Medium External URL 外部 URL

https://li.quest/v1/quote

references/arbitrage-tools.md:163

🔗

Medium External URL 外部 URL

https://socket.tech/

references/arbitrage-tools.md:177

🔗

Medium External URL 外部 URL

https://across.to/

references/arbitrage-tools.md:186

🔗

Medium External URL 外部 URL

https://protect.flashbots.net/

references/arbitrage-tools.md:215

🔗

Medium External URL 外部 URL

https://rpc.flashbots.net

references/arbitrage-tools.md:225

🔗

Medium External URL 外部 URL

https://www.edennetwork.io/

references/arbitrage-tools.md:230

🔗

Medium External URL 外部 URL

https://api.edennetwork.io/v1/rpc

references/arbitrage-tools.md:234

🔗

Medium External URL 外部 URL

https://cowswap.exchange/

references/arbitrage-tools.md:244

🔗

Medium External URL 外部 URL

https://dune.com/

references/arbitrage-tools.md:271

🔗

Medium External URL 外部 URL

https://eigenphi.io/

references/arbitrage-tools.md:285

🔗

Medium External URL 外部 URL

https://explorer.flashbots.net/

references/arbitrage-tools.md:294

🔗

Medium External URL 外部 URL

https://tenderly.co/

references/arbitrage-tools.md:303

🔗

Medium External URL 外部 URL

https://book.getfoundry.sh/

references/arbitrage-tools.md:328

🔗

Medium External URL 外部 URL

https://hardhat.org/

references/arbitrage-tools.md:353

🔗

Medium External URL 外部 URL

https://zapper.fi/

references/arbitrage-tools.md:388

🔗

Medium External URL 外部 URL

https://debank.com/

references/arbitrage-tools.md:397

🔗

Medium External URL 外部 URL

https://www.alchemy.com/

references/arbitrage-tools.md:409

🔗

Medium External URL 外部 URL

https://infura.io/

references/arbitrage-tools.md:414

🔗

Medium External URL 外部 URL

https://www.quicknode.com/

references/arbitrage-tools.md:419

🔗

Medium External URL 外部 URL

https://rpc.ankr.com/eth

references/arbitrage-tools.md:428

🔗

Medium External URL 外部 URL

https://ethereum.publicnode.com

references/arbitrage-tools.md:429

🔗

Medium External URL 外部 URL

https://arb1.arbitrum.io/rpc

references/arbitrage-tools.md:432

🔗

Medium External URL 外部 URL

https://arbitrum.llamarpc.com

references/arbitrage-tools.md:433

🔗

Medium External URL 外部 URL

https://chainlist.org/

references/arbitrage-tools.md:436

🔗

Medium External URL 外部 URL

https://docs.uniswap.org/

references/arbitrage-tools.md:443

🔗

Medium External URL 外部 URL

https://docs.flashbots.net/

references/arbitrage-tools.md:444

🔗

Medium External URL 外部 URL

https://docs.ethers.org/

references/arbitrage-tools.md:445

🔗

Medium External URL 外部 URL

https://explore.flashbots.net/

references/arbitrage-tools.md:455

🔗

Medium External URL 外部 URL

https://writings.flashbots.net/

references/arbitrage-tools.md:457

🔗

Medium External URL 外部 URL

https://relay.flashbots.net

references/mev-protection.md:100

🔗

Medium External URL 外部 URL

https://protect.flashbots.net/v1/rpc

references/mev-protection.md:218

🔗

Medium External URL 外部 URL

https://rpc.mevblocker.io

references/mev-protection.md:242

🔗

Medium External URL 外部 URL

https://cowswap.exchange

references/mev-protection.md:255

💰