中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 25/100
上次扫描:1 天前 重新扫描
25 /100
income-lab
收入实验与执行系统 - 帮助用户系统地尝试各种合法赚钱方式、记录实验过程、分析效果、持续优化策略
Legitimate income tracking skill with one hardcoded API key issue but no malicious behavior detected.
技能名称income-lab
分析耗时35.0s
引擎pi
可以安装
Move the hardcoded API key from payment.py to an environment variable (e.g., SKILLPAY_API_KEY) and regenerate the exposed key.

安全发现 2 项

严重性 安全发现 位置
中危
Hardcoded API Key in Source Code 凭证窃取
A private billing API key is hardcoded directly in payment.py line 12. If this repository is shared publicly, the key could be harvested by adversaries. The key should be moved to an environment variable.
BILLING_API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"
→ Replace with: BILLING_API_KEY = os.environ.get('SKILLPAY_API_KEY', '')
 payment.py:12
低危
External Network Requests to Payment Provider 敏感访问
The skill makes HTTPS requests to skillpay.me for payment processing. While documented in SKILL.md, this is outbound traffic that could be avoided if the billing were handled externally.
requests.post(f"{BILLING_API_URL}/api/v1/billing/charge"
→ This is acceptable functionality for a paid skill. Consider documenting the exact data transmitted (user_id, skill_id, amount).
 payment.py:36
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 ~/.income-lab directory for data storage
网络访问 READ WRITE ✓ 一致 payment.py:36-67 - POST requests to skillpay.me for billing
命令执行 NONE NONE No subprocess or shell execution found
环境变量 READ READ ✓ 一致 payment.py:75 - reads SKILLPAY_USER_ID from environment
1 高危 2 项发现
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"
payment.py:12
🔗
中危 外部 URL 外部 URL
https://skillpay.me
payment.py:11

目录结构

8 文件 · 38.7 KB · 1286 行
Markdown 3f · 632L Python 3f · 626L JSON 1f · 19L Text 1f · 9L
├─ 📁 references
│ ├─ 📝 income-methods.md Markdown 169L · 5.3 KB
│ └─ 📝 retrospective-framework.md Markdown 213L · 3.7 KB
├─ 📁 scripts
│ ├─ 🐍 experiment_tracker.py Python 287L · 10.7 KB
│ └─ 🐍 weekly_reporter.py Python 197L · 7.3 KB
├─ 📋 _meta.json JSON 19L · 431 B
├─ 🐍 payment.py Python 142L · 5.2 KB
├─ 📄 requirements.txt Text 9L · 133 B
└─ 📝 SKILL.md Markdown 250L · 6.0 KB

依赖分析 4 项

包名版本来源已知漏洞备注
pandas >=2.0.0 pip Version pinned
numpy >=1.24.0 pip Version pinned
matplotlib >=3.7.0 pip Version pinned
python-dateutil >=2.8.0 pip Version pinned

安全亮点

✓ No shell execution or subprocess usage
✓ No access to sensitive directories (~/.ssh, ~/.aws, .env)
✓ No base64-encoded or obfuscated code
✓ No credential harvesting from environment variables (only reads SKILLPAY_USER_ID)
✓ No reverse shell, C2, or data exfiltration patterns
✓ Data stored locally in ~/.income-lab (appropriate for the skill)
✓ Dependencies are legitimate data processing libraries with version pins
✓ No hidden functionality - scripts match documented behavior