chainstream-data 安全扫描报告 — 低风险 | ClawSafe

20 /100

chainstream-data

Query and analyze on-chain data via MCP (17 tools) and CLI across Solana, BSC, Ethereum. Covers token analytics, market ranking, wallet profiling, and WebSocket streaming.

ChainStream Data is a read-only on-chain analytics skill (pure Markdown documentation) that poses minimal risk; the sole concern is a documented curl|bash command to install the Tempo Wallet CLI, which is a legitimate but risky installation pattern with no actual malicious impact.

技能名称chainstream-data

分析耗时71.8s

引擎pi

✓

可以安装

Approve with caution. If the risk appetite requires zero curl|bash patterns, remove Path 3 (Tempo Wallet MPP) from shared/authentication.md and reference it via external skill instead: 'npx skills add tempoxyz/docs'.

安全发现 1 项

严重性	安全发现	位置
低危	curl\|bash to install Tempo Wallet CLI 供应链 shared/authentication.md:182 documents 'curl -fsSL https://tempo.xyz/install \| bash' to install the Tempo Wallet CLI. While this is a declared and legitimate installation method, piped remote script execution is a known high-risk pattern. The command downloads and executes a script from tempo.xyz non-interactively. No evidence of tampering with the remote script was found, and the purpose (installing Tempo Wallet for MPP payment) is directly relevant to the skill's functionality. `curl -fsSL https://tempo.xyz/install \| bash` → Prefer 'npx skills add tempoxyz/docs' or require users to download Tempo Wallet from an official website manually, rather than piping curl to bash.	`shared/authentication.md:182`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md declares Read tool for documentation loading
网络访问	`READ`	`READ`	✓ 一致	SKILL.md declares WebFetch for API calls to api.chainstream.io, mcp.chainstream.…
命令执行	`NONE`	`NONE`	—	Skill contains no scripts. npx usage is for the ChainStream CLI binary (not inli…
环境变量	`READ`	`READ`	✓ 一致	Skill reads environment variables for API keys and wallet addresses, but only pa…
技能调用	`NONE`	`NONE`	—	Skill references chainstream-graphql and chainstream-defi as related skills but …

1 严重 41 项发现

💀

严重危险命令危险 Shell 命令

curl -fsSL https://tempo.xyz/install | bash

shared/authentication.md:182

🔗

中危外部 URL 外部 URL

https://mcp.chainstream.io/mcp

CLAUDE.md:20

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README.project.md:3

🔗

中危外部 URL 外部 URL

https://docs.chainstream.io

README.project.md:126

🔗

中危外部 URL 外部 URL

https://app.chainstream.io

README.project.md:127

🔗

中危外部 URL 外部 URL

https://docs.chainstream.io/api-reference

README.project.md:129

🔗

中危外部 URL 外部 URL

https://api.chainstream.io

SKILL.md:13

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/mpp/purchase?plan=

SKILL.md:37

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/x402/status?chain=evm&address=ADDR

SKILL.md:131

🔗

中危外部 URL 外部 URL

https://mcp.chainstream.io/sse

references/api-schema.md:22

🔗

中危外部 URL 外部 URL

https://dex.asia.auth.chainstream.io/oauth/token

references/api-schema.md:24

🔗

中危外部 URL 外部 URL

https://mcp.chainstream.io/x402/pricing

references/api-schema.md:25

🔗

中危外部 URL 外部 URL

https://x402.org/facilitator

references/api-schema.md:26

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/v2/token/search?keyword=PUMP&chain=sol

references/query-examples.md:15

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/v2/token/sol/DezXAZ8z7PnrnRJjz3wXBoRgixCa6xjnB7YaB1pPB263

references/query-examples.md:39

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/v2/token/sol/DezXAZ8z7PnrnRJjz3wXBoRgixCa6xjnB7YaB1pPB263/security

references/query-examples.md:41

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/v2/token/sol/DezXAZ8z7PnrnRJjz3wXBoRgixCa6xjnB7YaB1pPB263/topHolders

references/query-examples.md:43

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/v2/wallet/sol/5Q544fKrFoe6tsEbD7S8EmxGTJYAKtTVhAW5Q5pge4j1/pnl

references/query-examples.md:101

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/v2/wallet/bsc/0xABC.../net-worth-details

references/query-examples.md:121

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/v2/wallet/bsc/0xABC.../tokens-balance

references/query-examples.md:123

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/v2/trade/sol/top-traders

references/query-examples.md:194

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/v2/token/sol/DezXAZ.../traders/smart_money

references/query-examples.md:205

🔗

中危外部 URL 外部 URL

https://my-server.com/webhook

references/query-examples.md:213

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/v2/webhook/endpoint

references/query-examples.md:219

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/v2/token/sol/marketData/multi?addresses=ADDR1

references/query-examples.md:228

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/v2/token/sol/TOKEN_ADDRESS/security

references/query-examples.md:244

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/v2/token/sol/dev/DEV_ADDRESS/tokens

references/query-examples.md:258

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/x402/pricing

references/x402-auth.md:21

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/x402/purchase?plan=nano

references/x402-auth.md:59

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/x402/status?chain=evm&address=0x...

references/x402-auth.md:81

💰

中危钱包地址加密货币钱包地址

0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913

references/x402-auth.md:90

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/x402/purchase?plan=

shared/authentication.md:148

🔗

中危外部 URL 外部 URL

https://tempo.xyz/SKILL.md

shared/authentication.md:176

🔗

中危外部 URL 外部 URL

https://tempo.xyz/install

shared/authentication.md:182

🔗

中危外部 URL 外部 URL

https://api.chainstream.io/mpp/pricing

shared/authentication.md:186

💰

中危钱包地址加密货币钱包地址

0x0000000000000000000000000000000000000000

shared/chains.md:18

💰

中危钱包地址加密货币钱包地址

0x8ac76a51cc950d9822d68b83fe1ad97b32cd580d

shared/chains.md:18

💰

中危钱包地址加密货币钱包地址

0xA0b86991c6218b36c1d19d4a2e9eb0ce3606eB48

shared/chains.md:19

🔗

中危外部 URL 外部 URL

https://solscan.io/tx/

shared/chains.md:25

🔗

中危外部 URL 外部 URL

https://bscscan.com/tx/

shared/chains.md:26

🔗

中危外部 URL 外部 URL

https://etherscan.io/tx/

shared/chains.md:27

目录结构

16 文件 · 78.5 KB · 2112 行

Markdown 15f · 2102L JSON 1f · 10L

├─ ▾ 📁 references

│ ├─ 📝 api-endpoints.md Markdown 131L · 6.8 KB

│ ├─ 📝 api-schema.md Markdown 143L · 4.0 KB

│ ├─ 📝 market-discovery.md Markdown 74L · 2.8 KB

│ ├─ 📝 query-examples.md Markdown 259L · 7.1 KB

│ ├─ 🔑 token-research.md ⚠ Markdown 55L · 2.9 KB

│ ├─ 📝 wallet-profiling.md Markdown 60L · 2.5 KB

│ ├─ 📝 websocket-streams.md Markdown 300L · 6.2 KB

│ └─ 📝 x402-auth.md Markdown 91L · 3.0 KB

├─ ▾ 📁 shared

│ ├─ 📝 authentication.md Markdown 310L · 12.7 KB

│ ├─ 📝 chains.md Markdown 34L · 1.4 KB

│ ├─ 📝 error-handling.md Markdown 39L · 1.5 KB

│ ├─ 📋 mcp-config.json JSON 10L · 165 B

│ └─ 📝 x402-payment.md Markdown 227L · 8.6 KB

├─ 📝 CLAUDE.md Markdown 31L · 1.7 KB

├─ 📝 README.project.md Markdown 133L · 4.2 KB

└─ 📝 SKILL.md Markdown 215L · 13.0 KB

安全亮点

✓ Pure documentation skill — no executable scripts, no code to audit for hidden backdoors

✓ No credential harvesting or exfiltration: API keys/wallet addresses are only sent to api.chainstream.io

✓ No base64 encoding, eval(), or obfuscated code anywhere in the skill

✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)

✓ SKILL.md is comprehensive and accurately describes the skill's behavior

✓ Capability map (filesystem:READ, network:READ) is correctly aligned with actual usage

✓ Skill references two related skills (chainstream-graphql, chainstream-defi) rather than duplicating functionality

✓ No supply-chain risk from unpinned dependencies — there are no dependency files

✓ All shell usage is via standard 'npx @chainstream-io/cli' calls (not inline script execution)