overlay-market Security Report — Trusted | ClawSafe

5 /100

overlay-market

Trade leveraged perpetual futures on Overlay Protocol (BSC)

Legitimate DeFi trading skill for Overlay Protocol with comprehensive documentation, transparent private key handling via local viem signing, and all network calls documented and confined to known DeFi infrastructure.

Skill Nameoverlay-market

Duration47.9s

Enginepi

✓

Safe to install

This skill is safe to use. Follow the documented security practices: use external signing (e.g., Safe + Zodiac Roles) instead of raw private keys with real funds, and use dedicated testing wallets.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	common.js:10 readFileSync/.cache, common.js:17 mkdirSync/writeFileSync
Network	`READ`	`READ`	✓ Aligned	All network calls documented in SKILL.md External Services table
Shell	`NONE`	`NONE`	—	No subprocess/exec calls found
Environment	`READ`	`READ`	✓ Aligned	OVERLAY_PRIVATE_KEY, BSC_RPC_URL, ONEINCH_API_KEY read but never exfiltrated
Skill Invoke	`NONE`	`NONE`	—	No skill-to-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

16 findings

💰

Medium Wallet Address 加密货币钱包地址

0xeB497c228F130BD91E7F13f81c312243961d894A

SKILL.md:209

💰

Medium Wallet Address 加密货币钱包地址

0x10575a9C8F36F9F42D7DB71Ef179eD9BEf8Df238

SKILL.md:210

🔗

Medium External URL 外部 URL

https://app.overlay.market

SKILL.md:214

🔗

Medium External URL 外部 URL

https://docs.overlay.market

SKILL.md:215

🔗

Medium External URL 外部 URL

https://paulmillr.com/funding/

package-lock.json:27

💰

Medium Wallet Address 加密货币钱包地址

0xb777ef1b4581677a0c764bFBc33c568d00e97DfC

scripts/common.js:24

💰

Medium Wallet Address 加密货币钱包地址

0x927aE3c2cd88717a1525a55021AF9612C3F04583

scripts/common.js:26

💰

Medium Wallet Address 加密货币钱包地址

0x1F34c87ded863Fe3A3Cd76FAc8adA9608137C8c3

scripts/common.js:30

💰

Medium Wallet Address 加密货币钱包地址

0x55d398326f99059fF775485246999027B3197955

scripts/common.js:31

🔗

Medium External URL 外部 URL

https://api.overlay.market/data/api/markets

scripts/common.js:33

🔗

Medium External URL 外部 URL

https://api.overlay.market/bsc-charts/v1/charts

scripts/common.js:34

🔗

Medium External URL 外部 URL

https://api.overlay.market/bsc-charts/v1/charts/marketsPricesOverview

scripts/common.js:35

🔗

Medium External URL 外部 URL

https://api.goldsky.com/api/public/project_clyiptt06ifuv01ul9xiwfj28/subgraphs/overlay-bsc/prod/gn

scripts/common.js:36

🔗

Medium External URL 外部 URL

https://bsc-dataseed.binance.org/

scripts/common.js:145

🔗

Medium External URL 外部 URL

https://1inch-proxy.overlay-market-account.workers.dev

scripts/unwind.js:13

🔗

Medium External URL 外部 URL

https://api.1inch.dev

scripts/unwind.js:14

File Tree

13 files · 60.6 KB · 1742 lines

JavaScript 9f · 1298L JSON 2f · 224L Markdown 2f · 220L

├─ ▾ 📁 scripts

│ ├─ 📜 approve.js JavaScript 44L · 1.4 KB

│ ├─ 📜 balance.js JavaScript 46L · 1.1 KB

│ ├─ 📜 build.js JavaScript 161L · 5.7 KB

│ ├─ 📜 chart.js JavaScript 118L · 5.2 KB

│ ├─ 📜 common.js JavaScript 319L · 11.7 KB

│ ├─ 📜 positions.js JavaScript 171L · 5.6 KB

│ ├─ 📜 scan.js JavaScript 93L · 3.5 KB

│ ├─ 📜 send.js JavaScript 77L · 2.3 KB

│ └─ 📜 unwind.js JavaScript 269L · 9.1 KB

├─ 📋 package-lock.json JSON 217L · 6.7 KB

├─ 📋 package.json JSON 7L · 115 B

├─ 📝 README.md Markdown 5L · 123 B

└─ 📝 SKILL.md Markdown 215L · 8.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`viem`	`^2.0.0`	npm	No	Well-audited EVM wallet library

Security Positives

✓ Private key (OVERLAY_PRIVATE_KEY) never transmitted over network - used only for local signing via viem library

✓ send.js enforces ALLOWED_TARGETS whitelist (Shiva contract + USDT token) and restricts USDT to approve() calls only

✓ All external service calls (Overlay API, BSC RPC, Goldsky subgraph, 1inch API) fully documented in SKILL.md

✓ No obfuscation, base64-encoded commands, or suspicious code patterns

✓ Filesystem access limited to .cache/ directory for market data caching

✓ SKILL.md provides comprehensive security guidance including recommendations for smart contract wallets

✓ Production unsigned transaction design: skill outputs unsigned tx JSON, external signer handles actual signing

✓ Single well-audited dependency (viem ^2.0.0) with known audit trail

✓ No credential harvesting beyond environment variables required for DeFi operations

✓ No evidence of C2 infrastructure, data exfiltration, or malicious network destinations

Scan Report

File Tree

Dependencies 1 items

Security Positives