BSC Analytics BSC生态分析
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Review before installing: the BSC analytics content is mostly aligned, but it embeds a payment API key/verification flow and can present hard-coded DeFi data as fresh monitoring.
Install only if you are comfortable with a paid crypto analytics skill contacting SkillPay for payment checks. Do not treat its reports as live market or on-chain data unless it cites fresh sources, and never provide private keys or sign transactions based only on this skill’s recommendations.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A shipped payment credential can be abused or become invalid, and it gives the skill payment-service authority that is not clearly bounded by the analytics purpose.
A reusable payment-provider bearer key is embedded directly in distributed code and used for API authorization, while the registry requirements declare no primary credential or required environment variable.
SKILLPAY_API_KEY = "sk_f03aa8f8...b1d2" ... "Authorization": f"Bearer {SKILLPAY_API_KEY}"Do not ship reusable API keys in skill code. Move payment verification server-side or require a clearly declared environment variable, and document the payment scope before use.
Your wallet address and payment-check metadata may leave the local agent context and be visible to the payment provider.
If payment verification is invoked, the skill sends the supplied wallet address, skill slug, and timestamp to an external payment API.
SKILLPAY_API_URL = "https://api.skillpay.io/v1" ... "user_address": user_address ... f"{SKILLPAY_API_URL}/verify"Only provide a wallet address if you intend to use the paid feature, and the publisher should disclose this data flow in SKILL.md and avoid sending any unrelated user data.
Users could make crypto allocation decisions based on stale or sample data that appears to be live on-chain monitoring.
The monitor uses hard-coded protocol metrics but generates a fresh timestamp and formats the output as a monitoring report, which can make static data appear current.
self.protocols = { 'pancakeswap': { ... 'tvl': 2_500_000_000, ... 'apy': 15.5 } ... } ... 'timestamp': datetime.now().isoformat()Clearly label hard-coded data as sample data, or fetch and cite live sources with data timestamps before giving investment or risk recommendations.
Some documented capabilities may fail or may require unreviewed files not included with the skill.
SKILL.md references documentation files and a protocol analyzer script that are not present in the supplied file manifest.
查看 [references/protocol-database.md](references/protocol-database.md) ... `scripts/protocol_analyzer.py` - 深度分析特定协议
Include the referenced files or remove those instructions; do not run replacement scripts from outside the reviewed package unless you trust their source.