Skip to content

jamejohns/tronsec

Repository files navigation

TRONSEC

TRONSEC

Security terminal for the TRON ecosystem
Wallets · approvals · contracts · transactions · URLs · vanity addresses — read-only, in the browser.

Open app   Website   Telegram

CI MIT License Server-side API keys TRON JS i18n Modules

Report issue  ·  Contribute  ·  Changelog  ·  Architecture  ·  Roadmap


Overview

TRONSEC is a read-only security workbench for TRON. Paste an address, contract, transaction hash, or URL — get structured risk signals without connecting a wallet or creating an account.

Focus areas: on-chain risk · financial crime signals · secure client architecture — wallet compromise patterns, TRC-20 approvals, phishing & drainer surfaces, and read-only tooling that helps users decide before they sign.

This repository is the open-source application (MIT). The marketing site lives at tronsec.io.

Live demo: tronsec.io/app

The first public GitHub release was June 2026 — not the start of the project. TRONSEC had been in active development on tronsec.io for roughly three months before the repo went public. Tags here track the OSS export; the timeline below is the full product history.


Development timeline

Period Milestones
Apr 2026 Terminal UI shell, module routing, Cloudflare Worker proxy (API keys server-side), wallet scanner (portfolio, TRC-20, stake, activity), TronGrid / TronScan client layer
May 2026 AML check + flow graph, contract audit heuristics, TX decoder, URL / phishing scanner (heuristics + VirusTotal via worker), scam-report flow, 8-language i18n
Jun 2026 PWA + service worker, vanity generator (local Web Workers), TRC-20 approvals monitor, production deploy on tronsec.io, MIT OSS published (v1.0v1.1)
Jul 2026 Approvals polish, permission auditor, public architecture / security docs, OSS v1.2.0; network analytics charts; wallet scanner risk score, contract detection, session cache, PDF export

Full month-by-month notes: CHANGELOG.md#development-history.


Production: API keys stay on the server

tronsec.io does not ship API keys in the browser.

The deployed app is static HTML/JS. Every upstream call (TronGrid, TronScan, VirusTotal, optional scam-report backend) goes through a Cloudflare Worker proxy. Credentials are Wrangler secrets on the worker — they never appear in the client bundle, DevTools, or this git tree.

Browser  →  Cloudflare Worker (secrets)  →  TronGrid / TronScan / VirusTotal
Production loads Contains secrets?
app/js/proxy-config.js No — public worker URL only
app/js/secrets.js No — empty placeholders
app/js/secrets.local.js Not shipped — gitignored, not in prod HTML

Cloning this repo and running locally uses the same worker proxy by default — no keys required.

Full diagram: ARCHITECTURE.md


Modules

Module What it does
Wallet scanner Portfolio USD, TRC-20 holdings, stake, bandwidth & energy, security flags, activity feed; risk score 0–100, on-chain approval count, session cache, PDF/summary export; links to Approvals / AML
Approvals Lists active TRC-20 allowances, flags unlimited grants and risky spenders
Permission auditor Owner, active, and witness keys; multisig thresholds; external-controller detection; permission-change history
AML check On-chain heuristics, counterparty exposure, token flows, PDF export
Contract audit Privileged functions, proxy patterns, TRON-specific bytecode signals
TX decoder TRC-20 transfers, approvals, contract calls, fees, scam-pattern warnings
URL scanner Typosquatting, homoglyphs, VirusTotal (via worker)
Vanity generator Base58 patterns in local Web Workers — generated keys never leave your browser
Scam report Structured address/domain reports (delivered via worker when configured)
Network dashboard Live TRX price, chain stats, Fear & Greed; 7-day charts for TRX price, energy/bandwidth usage, and USDT transfer activity (D3 area/line, hover & touch tooltips)

Pet OSS (satellite repos)

Small, focused tools extracted from TRONSEC patterns — also pinned on @jamejohns:

Repo What it is
tronsec-worker-starter Cloudflare Worker API proxy — TronGrid, TronScan, VirusTotal keys stay server-side
tron-approvals-check CLI to list TRON token approvals and flag unlimited or risky spenders
tron-phish-rules Versioned TRON phishing URL heuristics + offline checker (no VirusTotal required)

Use the worker starter with the CLI tools, or run the full terminal here.


Quick start

git clone https://github.com/jamejohns/tronsec.git
cd tronsec
python -m http.server 8080

Open http://localhost:8080/app/ — works out of the box via the public worker proxy (proxy-config.js). No API keys needed.


Worker proxy routes

Public worker base URL (not a secret):

// app/js/proxy-config.js
window.TRONSEC_PROXY = { base: 'https://api-proxy.tronsec-io.workers.dev' };
Route Upstream
/grid/* TronGrid
/scan/* TronScan
/vt/* VirusTotal
/cmc/* CoinMarketCap (TRX quotes)
/telegram/sendMessage Scam-report form delivery (worker-held credentials)

Self-hosting: deploy your own worker, store keys as server secrets, point proxy-config.js at your worker URL, restrict CORS to your domain.


Optional: local dev without proxy

Advanced — direct TronGrid/TronScan keys in the browser (dev machines only)

This path is not used on tronsec.io. Only for developers who intentionally disable the proxy:

cp app/js/secrets.local.example.js app/js/secrets.local.js
window.TRONSEC_PROXY = { base: '' };
Object.assign(window.TRONSEC_KEYS, {
  trongrid: 'YOUR_DEV_TRONGRID_KEY',
  tronscan: 'YOUR_DEV_TRONSCAN_KEY',
});

Keys are visible in DevTools. VirusTotal still requires a worker. Never commit secrets.local.js.


Project layout

app/                 Shell, styles, modules (vanilla JS)
assets/              Brand, fonts, i18n (8 locales)
manifest.json        PWA metadata
sw.js                Service worker

Stack: vanilla JavaScript · Tailwind · Lucide · D3.js · TronGrid / TronScan / VirusTotal (via worker).


Security & privacy

  • Read-only — no wallet connection, no transaction signing from this UI.
  • Production keys server-side — Cloudflare Worker + Wrangler secrets on the live site.
  • Vanity keys stay local — generated private keys never sent to any server.
  • No seed phrases — TRONSEC never asks for your wallet mnemonic.
  • Official product: tronsec.io — keep app/js/brand.js attribution when forking.

See SECURITY.md for responsible disclosure.


tronsec.io/app  ·  tronsec.io  ·  Telegram

About

Read-only TRON security terminal — 10 modules, no wallet connect. On-chain risk, AML, approvals, phishing, contracts, TX decode. Pet OSS: tron-phish-rules, tron-approvals-check, tronsec-worker-starter. https://tronsec.io

Topics

Resources

License

Contributing

Security policy

Stars

2 stars

Watchers

2 watching

Forks

Packages

 
 
 

Contributors