github-bounty-finder Security Report — Trusted | ClawSafe

5 /100

github-bounty-finder

Scans GitHub Issues and Algora bounties for high-value opportunities with competition analysis and opportunity scoring

A legitimate GitHub/Algora bounty scanner that performs declared network API calls and file writes without any malicious behavior, credential exfiltration, or hidden functionality.

Skill Namegithub-bounty-finder

Duration35.2s

Enginepi

✓

Safe to install

This skill is safe to use. All capabilities are declared in SKILL.md and align with the documented purpose of scanning bounty platforms.

Findings 1 items

Severity	Finding	Location
Info	Revenue projections in documentation SKILL.md contains detailed subscription pricing ($149/month) and revenue projections ($3,000-8,000/month). While not a security concern, this marketing content is tangential to technical functionality. `Recommended Price: $149/month` → Consider moving business/marketing content to a separate business-plan document	`SKILL.md:72`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	src/scanner.js:37,64 - GitHub/Algora API calls
Environment	`READ`	`READ`	✓ Aligned	src/scanner.js:10-11 - reads GITHUB_TOKEN, ALGORA_API_KEY
Filesystem	`WRITE`	`WRITE`	✓ Aligned	bin/cli.js:137 - conditional file write for --output flag
Shell	`NONE`	`NONE`	—	No subprocess/exec calls found
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser automation found
Database	`NONE`	`NONE`	—	No database access found
Skill Invoke	`NONE`	`NONE`	—	No recursive skill invocation found

6 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/version-1.0.0-blue.svg

README.md:5

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/license-MIT-green.svg

README.md:6

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/node-%3E%3D18.0.0-brightgreen.svg

README.md:7

🔗

Medium External URL 外部 URL

https://algora.io/settings/api

README.md:79

🔗

Medium External URL 外部 URL

https://api.algora.io/v1/bounties

src/scanner.js:64

📧

Info Email 邮箱地址

[email protected]

README.md:248

File Tree

7 files · 32.3 KB · 1251 lines

Markdown 3f · 663L JavaScript 2f · 451L JSON 2f · 137L

├─ ▾ 📁 bin

│ └─ 📜 cli.js JavaScript 172L · 6.5 KB

├─ ▾ 📁 src

│ └─ 📜 scanner.js JavaScript 279L · 7.8 KB

├─ 📋 clawhub.json JSON 103L · 2.5 KB

├─ 📋 package.json JSON 34L · 745 B

├─ 📝 README.md Markdown 263L · 6.1 KB

├─ 📝 RELEASE.md Markdown 195L · 4.2 KB

└─ 📝 SKILL.md Markdown 205L · 4.4 KB

Dependencies 5 items

Package	Version	Source	Known Vulns	Notes
`axios`	`^1.6.0`	npm	No	Standard HTTP client
`chalk`	`^4.1.2`	npm	No	Terminal string styling
`commander`	`^11.1.0`	npm	No	CLI framework
`dotenv`	`^16.3.1`	npm	No	Environment variable loading
`node-fetch`	`^2.7.0`	npm	No	HTTP client (imported but unused)

Security Positives

✓ All network connections are to documented, legitimate API endpoints (github.com, algora.io)

✓ No credential exfiltration - API tokens are only used for authentication to stated services

✓ Filesystem writes are user-initiated via --output flag and fully declared

✓ No shell execution, no eval(), no base64 decoding, no suspicious patterns

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env) beyond standard env vars

✓ Dependencies are well-established npm packages with no known vulnerabilities

✓ Complete alignment between documented features and implementation

✓ CLI output writes require explicit user action with file path specification

Scan Report

Findings 1 items

File Tree

Dependencies 5 items

Security Positives