扫描报告
5 /100
overlay-market
Trade leveraged perpetual futures on Overlay Protocol (BSC)
Legitimate DeFi trading skill for Overlay Protocol with comprehensive documentation, transparent private key handling via local viem signing, and all network calls documented and confined to known DeFi infrastructure.
可以安装
This skill is safe to use. Follow the documented security practices: use external signing (e.g., Safe + Zodiac Roles) instead of raw private keys with real funds, and use dedicated testing wallets.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | READ | ✓ 一致 | common.js:10 readFileSync/.cache, common.js:17 mkdirSync/writeFileSync |
| 网络访问 | READ | READ | ✓ 一致 | All network calls documented in SKILL.md External Services table |
| 命令执行 | NONE | NONE | — | No subprocess/exec calls found |
| 环境变量 | READ | READ | ✓ 一致 | OVERLAY_PRIVATE_KEY, BSC_RPC_URL, ONEINCH_API_KEY read but never exfiltrated |
| 技能调用 | NONE | NONE | — | No skill-to-skill invocation |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | No browser automation |
| 数据库 | NONE | NONE | — | No database access |
16 项发现
中危 钱包地址 加密货币钱包地址
0xeB497c228F130BD91E7F13f81c312243961d894A SKILL.md:209 中危 钱包地址 加密货币钱包地址
0x10575a9C8F36F9F42D7DB71Ef179eD9BEf8Df238 SKILL.md:210 中危 外部 URL 外部 URL
https://app.overlay.market SKILL.md:214 中危 外部 URL 外部 URL
https://docs.overlay.market SKILL.md:215 中危 外部 URL 外部 URL
https://paulmillr.com/funding/ package-lock.json:27 中危 钱包地址 加密货币钱包地址
0xb777ef1b4581677a0c764bFBc33c568d00e97DfC scripts/common.js:24 中危 钱包地址 加密货币钱包地址
0x927aE3c2cd88717a1525a55021AF9612C3F04583 scripts/common.js:26 中危 钱包地址 加密货币钱包地址
0x1F34c87ded863Fe3A3Cd76FAc8adA9608137C8c3 scripts/common.js:30 中危 钱包地址 加密货币钱包地址
0x55d398326f99059fF775485246999027B3197955 scripts/common.js:31 中危 外部 URL 外部 URL
https://api.overlay.market/data/api/markets scripts/common.js:33 中危 外部 URL 外部 URL
https://api.overlay.market/bsc-charts/v1/charts scripts/common.js:34 中危 外部 URL 外部 URL
https://api.overlay.market/bsc-charts/v1/charts/marketsPricesOverview scripts/common.js:35 中危 外部 URL 外部 URL
https://api.goldsky.com/api/public/project_clyiptt06ifuv01ul9xiwfj28/subgraphs/overlay-bsc/prod/gn scripts/common.js:36 中危 外部 URL 外部 URL
https://bsc-dataseed.binance.org/ scripts/common.js:145 中危 外部 URL 外部 URL
https://1inch-proxy.overlay-market-account.workers.dev scripts/unwind.js:13 中危 外部 URL 外部 URL
https://api.1inch.dev scripts/unwind.js:14 目录结构
13 文件 · 60.6 KB · 1742 行 JavaScript 9f · 1298L
JSON 2f · 224L
Markdown 2f · 220L
├─
▾
scripts
│ ├─
approve.js
JavaScript
│ ├─
balance.js
JavaScript
│ ├─
build.js
JavaScript
│ ├─
chart.js
JavaScript
│ ├─
common.js
JavaScript
│ ├─
positions.js
JavaScript
│ ├─
scan.js
JavaScript
│ ├─
send.js
JavaScript
│ └─
unwind.js
JavaScript
├─
package-lock.json
JSON
├─
package.json
JSON
├─
README.md
Markdown
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
viem | ^2.0.0 | npm | 否 | Well-audited EVM wallet library |
安全亮点
✓ Private key (OVERLAY_PRIVATE_KEY) never transmitted over network - used only for local signing via viem library
✓ send.js enforces ALLOWED_TARGETS whitelist (Shiva contract + USDT token) and restricts USDT to approve() calls only
✓ All external service calls (Overlay API, BSC RPC, Goldsky subgraph, 1inch API) fully documented in SKILL.md
✓ No obfuscation, base64-encoded commands, or suspicious code patterns
✓ Filesystem access limited to .cache/ directory for market data caching
✓ SKILL.md provides comprehensive security guidance including recommendations for smart contract wallets
✓ Production unsigned transaction design: skill outputs unsigned tx JSON, external signer handles actual signing
✓ Single well-audited dependency (viem ^2.0.0) with known audit trail
✓ No credential harvesting beyond environment variables required for DeFi operations
✓ No evidence of C2 infrastructure, data exfiltration, or malicious network destinations