income-lab Security Report — Low Risk | ClawSafe

25 /100

income-lab

收入实验与执行系统 - 帮助用户系统地尝试各种合法赚钱方式、记录实验过程、分析效果、持续优化策略

Legitimate income tracking skill with one hardcoded API key issue but no malicious behavior detected.

Skill Nameincome-lab

Duration35.0s

Enginepi

✓

Safe to install

Move the hardcoded API key from payment.py to an environment variable (e.g., SKILLPAY_API_KEY) and regenerate the exposed key.

Findings 2 items

Severity	Finding	Location
Medium	Hardcoded API Key in Source Code Credential Theft A private billing API key is hardcoded directly in payment.py line 12. If this repository is shared publicly, the key could be harvested by adversaries. The key should be moved to an environment variable. `BILLING_API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"` → Replace with: BILLING_API_KEY = os.environ.get('SKILLPAY_API_KEY', '')	`payment.py:12`
Low	External Network Requests to Payment Provider Sensitive Access The skill makes HTTPS requests to skillpay.me for payment processing. While documented in SKILL.md, this is outbound traffic that could be avoided if the billing were handled externally. `requests.post(f"{BILLING_API_URL}/api/v1/billing/charge"` → This is acceptable functionality for a paid skill. Consider documenting the exact data transmitted (user_id, skill_id, amount).	`payment.py:36`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	~/.income-lab directory for data storage
Network	`READ`	`WRITE`	✓ Aligned	payment.py:36-67 - POST requests to skillpay.me for billing
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Environment	`READ`	`READ`	✓ Aligned	payment.py:75 - reads SKILLPAY_USER_ID from environment

1 High 2 findings

🔑

High API Key 疑似硬编码凭证

API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"

payment.py:12

🔗

Medium External URL 外部 URL

https://skillpay.me

payment.py:11

File Tree

8 files · 38.7 KB · 1286 lines

Markdown 3f · 632L Python 3f · 626L JSON 1f · 19L Text 1f · 9L

├─ ▾ 📁 references

│ ├─ 📝 income-methods.md Markdown 169L · 5.3 KB

│ └─ 📝 retrospective-framework.md Markdown 213L · 3.7 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 experiment_tracker.py Python 287L · 10.7 KB

│ └─ 🐍 weekly_reporter.py Python 197L · 7.3 KB

├─ 📋 _meta.json JSON 19L · 431 B

├─ 🐍 payment.py Python 142L · 5.2 KB

├─ 📄 requirements.txt Text 9L · 133 B

└─ 📝 SKILL.md Markdown 250L · 6.0 KB

Dependencies 4 items

Package	Version	Source	Known Vulns	Notes
`pandas`	`>=2.0.0`	pip	No	Version pinned
`numpy`	`>=1.24.0`	pip	No	Version pinned
`matplotlib`	`>=3.7.0`	pip	No	Version pinned
`python-dateutil`	`>=2.8.0`	pip	No	Version pinned

Security Positives

✓ No shell execution or subprocess usage

✓ No access to sensitive directories (~/.ssh, ~/.aws, .env)

✓ No base64-encoded or obfuscated code

✓ No credential harvesting from environment variables (only reads SKILLPAY_USER_ID)

✓ No reverse shell, C2, or data exfiltration patterns

✓ Data stored locally in ~/.income-lab (appropriate for the skill)

✓ Dependencies are legitimate data processing libraries with version pins

✓ No hidden functionality - scripts match documented behavior

Scan Report

Findings 2 items

File Tree

Dependencies 4 items

Security Positives