{"root_cid":"bafybeicovnv4obi4lgtgkhzuhd6cwdmnhmn2pm3xnvzawi7axwb66ikfwe","model":"openai/gpt-5.4-mini","analyzed_at":"2026-05-13T03:35:50.581Z","result":{"schema_version":1,"category":"Finance","category_confidence":0.84,"summary":"Nullcoin is a Telegram-linked token rewards app with task-driven boosts and FAQ content, but the mount also contains a hardcoded Google service-account private key.","signals":["analysis-context.json: name 'nullcointoken.eth' and latest_probe title 'Redirecting...' for ipfs://bafybeicovnv4obi4lgtgkhzuhd6cwdmnhmn2pm3xnvzawi7axwb66ikfwe/","index.html: window.location.href = \"https://t.me/nullcointoken_bot\"","bot/index.html: title 'Nullcoin' plus task/reward panels, balance widgets, and FAQs about buying NullCoin and token allocation","bot/index.js: task list includes 'Join Nullcoin', 'Follow Nullcoin', and reward types coins/shards/boosts","bot/gsheet.js: this.privateKey = \"-----BEGIN PRIVATE KEY-----...\" and the file is loaded by bot/index.html via <script src=\"gsheet.js\"></script>"],"quality":{"tier":"fair","score":0.58,"is_substantive":true,"is_redirect_only":false,"is_placeholder":false,"rationale":"The mount includes a functional Telegram mini-app with reward tasks and explanatory content, but it is rough and partly redirect-oriented rather than a polished standalone product."},"security":{"risk":"critical","risk_score":0.98,"threat_type":"other","safe_to_list":false,"findings":[{"type":"other","severity":"critical","confidence":0.99,"evidence":"bot/gsheet.js line 3 contains a full PEM private key string: '-----BEGIN PRIVATE KEY-----' ... '-----END PRIVATE KEY-----'; bot/index.html line 401 loads gsheet.js in the client.","file":"bot/gsheet.js"}]},"files_reviewed":["analysis-context.json","index.html","index.js","bot/index.html","bot/index.js","bot/gsheet.js"]}}