check-balance 安全扫描报告 — 低风险 | ClawSafe

20 /100

check-balance

Check USDC balance across networks (Base, Solana)

A simple USDC balance checker using standard npm tooling with minor supply chain concerns around @latest tag usage and broad argument allowance.

技能名称check-balance

分析耗时28.1s

引擎pi

✓

可以安装

Pin the agnic package to a specific version instead of @latest to reduce supply chain risk. Consider narrowing the Bash tool permission to specific subcommands.

安全发现 2 项

严重性	安全发现	位置
低危	Unpinned npm package version 供应链 The skill uses @latest tag for the agnic package, which could resolve to a malicious version if the package namespace is compromised. `npx agnic@latest status --json` → Pin to a specific version: npx [email protected]	`SKILL.md:8`
低危	Broad Bash tool permission 权限提升 The Bash permission allows any arguments (), potentially enabling unintended agnic subcommands beyond balance checking. `Bash(npx agnic@latest )` → Consider limiting to specific subcommands: status, balance	`SKILL.md:4`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	Bash(npx agnic@latest *)

目录结构

1 文件 · 1.2 KB · 51 行

Markdown 1f · 51L

└─ 📝 SKILL.md Markdown 51L · 1.2 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`agnic`	`latest`	npm	否	Using @latest tag - no version pinning

安全亮点

✓ Single-purpose, straightforward functionality

✓ No credential harvesting or exfiltration detected

✓ No obfuscation or anti-analysis patterns

✓ Documentation matches stated behavior (doc-to-code alignment)

✓ Standard npm tooling without suspicious execution patterns

✓ No file system or environment variable access beyond npm execution