中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:17 hr ago Rescan
20 /100
chainstream-data
Query and analyze on-chain data via MCP (17 tools) and CLI across Solana, BSC, Ethereum. Covers token analytics, market ranking, wallet profiling, and WebSocket streaming.
ChainStream Data is a read-only on-chain analytics skill (pure Markdown documentation) that poses minimal risk; the sole concern is a documented curl|bash command to install the Tempo Wallet CLI, which is a legitimate but risky installation pattern with no actual malicious impact.
Skill Namechainstream-data
Duration71.8s
Enginepi
Safe to install
Approve with caution. If the risk appetite requires zero curl|bash patterns, remove Path 3 (Tempo Wallet MPP) from shared/authentication.md and reference it via external skill instead: 'npx skills add tempoxyz/docs'.

Findings 1 items

Severity Finding Location
Low
curl|bash to install Tempo Wallet CLI Supply Chain
shared/authentication.md:182 documents 'curl -fsSL https://tempo.xyz/install | bash' to install the Tempo Wallet CLI. While this is a declared and legitimate installation method, piped remote script execution is a known high-risk pattern. The command downloads and executes a script from tempo.xyz non-interactively. No evidence of tampering with the remote script was found, and the purpose (installing Tempo Wallet for MPP payment) is directly relevant to the skill's functionality.
curl -fsSL https://tempo.xyz/install | bash
→ Prefer 'npx skills add tempoxyz/docs' or require users to download Tempo Wallet from an official website manually, rather than piping curl to bash.
 shared/authentication.md:182
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md declares Read tool for documentation loading
Network READ READ ✓ Aligned SKILL.md declares WebFetch for API calls to api.chainstream.io, mcp.chainstream.…
Shell NONE NONE Skill contains no scripts. npx usage is for the ChainStream CLI binary (not inli…
Environment READ READ ✓ Aligned Skill reads environment variables for API keys and wallet addresses, but only pa…
Skill Invoke NONE NONE Skill references chainstream-graphql and chainstream-defi as related skills but …
1 Critical 41 findings
💀
Critical Dangerous Command 危险 Shell 命令
curl -fsSL https://tempo.xyz/install | bash
shared/authentication.md:182
🔗
Medium External URL 外部 URL
https://mcp.chainstream.io/mcp
CLAUDE.md:20
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/License-MIT-yellow.svg
README.project.md:3
🔗
Medium External URL 外部 URL
https://docs.chainstream.io
README.project.md:126
🔗
Medium External URL 外部 URL
https://app.chainstream.io
README.project.md:127
🔗
Medium External URL 外部 URL
https://docs.chainstream.io/api-reference
README.project.md:129
🔗
Medium External URL 外部 URL
https://api.chainstream.io
SKILL.md:13
🔗
Medium External URL 外部 URL
https://api.chainstream.io/mpp/purchase?plan=
SKILL.md:37
🔗
Medium External URL 外部 URL
https://api.chainstream.io/x402/status?chain=evm&address=ADDR
SKILL.md:131
🔗
Medium External URL 外部 URL
https://mcp.chainstream.io/sse
references/api-schema.md:22
🔗
Medium External URL 外部 URL
https://dex.asia.auth.chainstream.io/oauth/token
references/api-schema.md:24
🔗
Medium External URL 外部 URL
https://mcp.chainstream.io/x402/pricing
references/api-schema.md:25
🔗
Medium External URL 外部 URL
https://x402.org/facilitator
references/api-schema.md:26
🔗
Medium External URL 外部 URL
https://api.chainstream.io/v2/token/search?keyword=PUMP&chain=sol
references/query-examples.md:15
🔗
Medium External URL 外部 URL
https://api.chainstream.io/v2/token/sol/DezXAZ8z7PnrnRJjz3wXBoRgixCa6xjnB7YaB1pPB263
references/query-examples.md:39
🔗
Medium External URL 外部 URL
https://api.chainstream.io/v2/token/sol/DezXAZ8z7PnrnRJjz3wXBoRgixCa6xjnB7YaB1pPB263/security
references/query-examples.md:41
🔗
Medium External URL 外部 URL
https://api.chainstream.io/v2/token/sol/DezXAZ8z7PnrnRJjz3wXBoRgixCa6xjnB7YaB1pPB263/topHolders
references/query-examples.md:43
🔗
Medium External URL 外部 URL
https://api.chainstream.io/v2/wallet/sol/5Q544fKrFoe6tsEbD7S8EmxGTJYAKtTVhAW5Q5pge4j1/pnl
references/query-examples.md:101
🔗
Medium External URL 外部 URL
https://api.chainstream.io/v2/wallet/bsc/0xABC.../net-worth-details
references/query-examples.md:121
🔗
Medium External URL 外部 URL
https://api.chainstream.io/v2/wallet/bsc/0xABC.../tokens-balance
references/query-examples.md:123
🔗
Medium External URL 外部 URL
https://api.chainstream.io/v2/trade/sol/top-traders
references/query-examples.md:194
🔗
Medium External URL 外部 URL
https://api.chainstream.io/v2/token/sol/DezXAZ.../traders/smart_money
references/query-examples.md:205
🔗
Medium External URL 外部 URL
https://my-server.com/webhook
references/query-examples.md:213
🔗
Medium External URL 外部 URL
https://api.chainstream.io/v2/webhook/endpoint
references/query-examples.md:219
🔗
Medium External URL 外部 URL
https://api.chainstream.io/v2/token/sol/marketData/multi?addresses=ADDR1
references/query-examples.md:228
🔗
Medium External URL 外部 URL
https://api.chainstream.io/v2/token/sol/TOKEN_ADDRESS/security
references/query-examples.md:244
🔗
Medium External URL 外部 URL
https://api.chainstream.io/v2/token/sol/dev/DEV_ADDRESS/tokens
references/query-examples.md:258
🔗
Medium External URL 外部 URL
https://api.chainstream.io/x402/pricing
references/x402-auth.md:21
🔗
Medium External URL 外部 URL
https://api.chainstream.io/x402/purchase?plan=nano
references/x402-auth.md:59
🔗
Medium External URL 外部 URL
https://api.chainstream.io/x402/status?chain=evm&address=0x...
references/x402-auth.md:81
💰
Medium Wallet Address 加密货币钱包地址
0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913
references/x402-auth.md:90
🔗
Medium External URL 外部 URL
https://api.chainstream.io/x402/purchase?plan=
shared/authentication.md:148
🔗
Medium External URL 外部 URL
https://tempo.xyz/SKILL.md
shared/authentication.md:176
🔗
Medium External URL 外部 URL
https://tempo.xyz/install
shared/authentication.md:182
🔗
Medium External URL 外部 URL
https://api.chainstream.io/mpp/pricing
shared/authentication.md:186
💰
Medium Wallet Address 加密货币钱包地址
0x0000000000000000000000000000000000000000
shared/chains.md:18
💰
Medium Wallet Address 加密货币钱包地址
0x8ac76a51cc950d9822d68b83fe1ad97b32cd580d
shared/chains.md:18
💰
Medium Wallet Address 加密货币钱包地址
0xA0b86991c6218b36c1d19d4a2e9eb0ce3606eB48
shared/chains.md:19
🔗
Medium External URL 外部 URL
https://solscan.io/tx/
shared/chains.md:25
🔗
Medium External URL 外部 URL
https://bscscan.com/tx/
shared/chains.md:26
🔗
Medium External URL 外部 URL
https://etherscan.io/tx/
shared/chains.md:27

File Tree

16 files · 78.5 KB · 2112 lines
Markdown 15f · 2102L JSON 1f · 10L
├─ 📁 references
│ ├─ 📝 api-endpoints.md Markdown 131L · 6.8 KB
│ ├─ 📝 api-schema.md Markdown 143L · 4.0 KB
│ ├─ 📝 market-discovery.md Markdown 74L · 2.8 KB
│ ├─ 📝 query-examples.md Markdown 259L · 7.1 KB
│ ├─ 🔑 token-research.md Markdown 55L · 2.9 KB
│ ├─ 📝 wallet-profiling.md Markdown 60L · 2.5 KB
│ ├─ 📝 websocket-streams.md Markdown 300L · 6.2 KB
│ └─ 📝 x402-auth.md Markdown 91L · 3.0 KB
├─ 📁 shared
│ ├─ 📝 authentication.md Markdown 310L · 12.7 KB
│ ├─ 📝 chains.md Markdown 34L · 1.4 KB
│ ├─ 📝 error-handling.md Markdown 39L · 1.5 KB
│ ├─ 📋 mcp-config.json JSON 10L · 165 B
│ └─ 📝 x402-payment.md Markdown 227L · 8.6 KB
├─ 📝 CLAUDE.md Markdown 31L · 1.7 KB
├─ 📝 README.project.md Markdown 133L · 4.2 KB
└─ 📝 SKILL.md Markdown 215L · 13.0 KB

Security Positives

✓ Pure documentation skill — no executable scripts, no code to audit for hidden backdoors
✓ No credential harvesting or exfiltration: API keys/wallet addresses are only sent to api.chainstream.io
✓ No base64 encoding, eval(), or obfuscated code anywhere in the skill
✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)
✓ SKILL.md is comprehensive and accurately describes the skill's behavior
✓ Capability map (filesystem:READ, network:READ) is correctly aligned with actual usage
✓ Skill references two related skills (chainstream-graphql, chainstream-defi) rather than duplicating functionality
✓ No supply-chain risk from unpinned dependencies — there are no dependency files
✓ All shell usage is via standard 'npx @chainstream-io/cli' calls (not inline script execution)