github-bounty-finder 安全扫描报告 — 可信 | ClawSafe

5 /100

github-bounty-finder

Scans GitHub Issues and Algora bounties for high-value opportunities with competition analysis and opportunity scoring

A legitimate GitHub/Algora bounty scanner that performs declared network API calls and file writes without any malicious behavior, credential exfiltration, or hidden functionality.

技能名称github-bounty-finder

分析耗时35.2s

引擎pi

✓

可以安装

This skill is safe to use. All capabilities are declared in SKILL.md and align with the documented purpose of scanning bounty platforms.

安全发现 1 项

严重性	安全发现	位置
提示	Revenue projections in documentation SKILL.md contains detailed subscription pricing ($149/month) and revenue projections ($3,000-8,000/month). While not a security concern, this marketing content is tangential to technical functionality. `Recommended Price: $149/month` → Consider moving business/marketing content to a separate business-plan document	`SKILL.md:72`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	src/scanner.js:37,64 - GitHub/Algora API calls
环境变量	`READ`	`READ`	✓ 一致	src/scanner.js:10-11 - reads GITHUB_TOKEN, ALGORA_API_KEY
文件系统	`WRITE`	`WRITE`	✓ 一致	bin/cli.js:137 - conditional file write for --output flag
命令执行	`NONE`	`NONE`	—	No subprocess/exec calls found
剪贴板	`NONE`	`NONE`	—	No clipboard access found
浏览器	`NONE`	`NONE`	—	No browser automation found
数据库	`NONE`	`NONE`	—	No database access found
技能调用	`NONE`	`NONE`	—	No recursive skill invocation found

6 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/version-1.0.0-blue.svg

README.md:5

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/license-MIT-green.svg

README.md:6

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/node-%3E%3D18.0.0-brightgreen.svg

README.md:7

🔗

中危外部 URL 外部 URL

https://algora.io/settings/api

README.md:79

🔗

中危外部 URL 外部 URL

https://api.algora.io/v1/bounties

src/scanner.js:64

📧

提示邮箱邮箱地址

[email protected]

README.md:248

目录结构

7 文件 · 32.3 KB · 1251 行

Markdown 3f · 663L JavaScript 2f · 451L JSON 2f · 137L

├─ ▾ 📁 bin

│ └─ 📜 cli.js JavaScript 172L · 6.5 KB

├─ ▾ 📁 src

│ └─ 📜 scanner.js JavaScript 279L · 7.8 KB

├─ 📋 clawhub.json JSON 103L · 2.5 KB

├─ 📋 package.json JSON 34L · 745 B

├─ 📝 README.md Markdown 263L · 6.1 KB

├─ 📝 RELEASE.md Markdown 195L · 4.2 KB

└─ 📝 SKILL.md Markdown 205L · 4.4 KB

依赖分析 5 项

包名	版本	来源	已知漏洞	备注
`axios`	`^1.6.0`	npm	否	Standard HTTP client
`chalk`	`^4.1.2`	npm	否	Terminal string styling
`commander`	`^11.1.0`	npm	否	CLI framework
`dotenv`	`^16.3.1`	npm	否	Environment variable loading
`node-fetch`	`^2.7.0`	npm	否	HTTP client (imported but unused)

安全亮点

✓ All network connections are to documented, legitimate API endpoints (github.com, algora.io)

✓ No credential exfiltration - API tokens are only used for authentication to stated services

✓ Filesystem writes are user-initiated via --output flag and fully declared

✓ No shell execution, no eval(), no base64 decoding, no suspicious patterns

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env) beyond standard env vars

✓ Dependencies are well-established npm packages with no known vulnerabilities

✓ Complete alignment between documented features and implementation

✓ CLI output writes require explicit user action with file path specification