README.md

July 10, 2026 · View on GitHub

TRONSEC

TRONSEC

Security terminal for the TRON ecosystem
Wallets · approvals · contracts · transactions · URLs · vanity addresses — read-only, in the browser.

Open app   Website   Telegram

CI MIT License Server-side API keys TRON JS i18n Modules

Report issue  ·  Contribute  ·  Changelog  ·  Architecture  ·  Roadmap


Overview

TRONSEC is a read-only security workbench for TRON. Paste an address, contract, transaction hash, or URL — get structured risk signals without connecting a wallet or creating an account.

Focus areas: on-chain risk · financial crime signals · secure client architecture — wallet compromise patterns, TRC-20 approvals, phishing & drainer surfaces, and read-only tooling that helps users decide before they sign.

This repository is the open-source application (MIT). The marketing site lives at tronsec.io.

Live demo: tronsec.io/app

The first public GitHub release was June 2026 — not the start of the project. TRONSEC had been in active development on tronsec.io for roughly three months before the repo went public. Tags here track the OSS export; the timeline below is the full product history.


Development timeline

PeriodMilestones
Apr 2026Terminal UI shell, module routing, Cloudflare Worker proxy (API keys server-side), wallet scanner (portfolio, TRC-20, stake, activity), TronGrid / TronScan client layer
May 2026AML check + flow graph, contract audit heuristics, TX decoder, URL / phishing scanner (heuristics + VirusTotal via worker), scam-report flow, 8-language i18n
Jun 2026PWA + service worker, vanity generator (local Web Workers), TRC-20 approvals monitor, production deploy on tronsec.io, MIT OSS published (v1.0v1.1)
Jul 2026Approvals polish, public architecture / security docs, OSS v1.2.0; network analytics charts; wallet scanner risk score, on-chain approvals, session cache, PDF export

Full month-by-month notes: CHANGELOG.md#development-history.


Production: API keys stay on the server

tronsec.io does not ship API keys in the browser.

The deployed app is static HTML/JS. Every upstream call (TronGrid, TronScan, VirusTotal, optional scam-report backend) goes through a Cloudflare Worker proxy. Credentials are Wrangler secrets on the worker — they never appear in the client bundle, DevTools, or this git tree.

Browser  →  Cloudflare Worker (secrets)  →  TronGrid / TronScan / VirusTotal
Production loadsContains secrets?
app/js/proxy-config.jsNo — public worker URL only
app/js/secrets.jsNo — empty placeholders
app/js/secrets.local.jsNot shipped — gitignored, not in prod HTML

Cloning this repo and running locally uses the same worker proxy by default — no keys required.

Full diagram: ARCHITECTURE.md


Modules

ModuleWhat it does
Wallet scannerPortfolio USD, TRC-20 holdings, stake, bandwidth & energy, security flags, activity feed; risk score 0–100, on-chain approval count, session cache, PDF/summary export; links to Approvals / AML
ApprovalsLists active TRC-20 allowances, flags unlimited grants and risky spenders
AML checkOn-chain heuristics, counterparty exposure, token flows, PDF export
Contract auditPrivileged functions, proxy patterns, TRON-specific bytecode signals
TX decoderTRC-20 transfers, approvals, contract calls, fees, scam-pattern warnings
URL scannerTyposquatting, homoglyphs, VirusTotal (via worker)
Vanity generatorBase58 patterns in local Web Workers — generated keys never leave your browser
Scam reportStructured address/domain reports (delivered via worker when configured)
Network dashboardLive TRX price, chain stats, Fear & Greed; 7-day charts for TRX price, energy/bandwidth usage, and USDT transfer activity (D3 area/line, hover & touch tooltips)

Pet OSS (satellite repos)

Small, focused tools extracted from TRONSEC patterns — also pinned on @jamejohns:

RepoWhat it is
tronsec-worker-starterCloudflare Worker API proxy — TronGrid, TronScan, VirusTotal keys stay server-side
tron-approvals-checkCLI to list TRON token approvals and flag unlimited or risky spenders
tron-phish-rulesVersioned TRON phishing URL heuristics + offline checker (no VirusTotal required)

Use the worker starter with the CLI tools, or run the full terminal here.


Quick start

git clone https://github.com/jamejohns/tronsec.git
cd tronsec
python -m http.server 8080

Open http://localhost:8080/app/ — works out of the box via the public worker proxy (proxy-config.js). No API keys needed.


Worker proxy routes

Public worker base URL (not a secret):

// app/js/proxy-config.js
window.TRONSEC_PROXY = { base: 'https://api-proxy.tronsec-io.workers.dev' };
RouteUpstream
/grid/*TronGrid
/scan/*TronScan
/vt/*VirusTotal
/cmc/*CoinMarketCap (TRX quotes)
/telegram/sendMessageScam-report form delivery (worker-held credentials)

Self-hosting: deploy your own worker, store keys as server secrets, point proxy-config.js at your worker URL, restrict CORS to your domain.


Optional: local dev without proxy

Advanced — direct TronGrid/TronScan keys in the browser (dev machines only)

This path is not used on tronsec.io. Only for developers who intentionally disable the proxy:

cp app/js/secrets.local.example.js app/js/secrets.local.js
window.TRONSEC_PROXY = { base: '' };
Object.assign(window.TRONSEC_KEYS, {
  trongrid: 'YOUR_DEV_TRONGRID_KEY',
  tronscan: 'YOUR_DEV_TRONSCAN_KEY',
});

Keys are visible in DevTools. VirusTotal still requires a worker. Never commit secrets.local.js.


Project layout

app/                 Shell, styles, modules (vanilla JS)
assets/              Brand, fonts, i18n (8 locales)
manifest.json        PWA metadata
sw.js                Service worker

Stack: vanilla JavaScript · Tailwind · Lucide · D3.js · TronGrid / TronScan / VirusTotal (via worker).


Security & privacy

  • Read-only — no wallet connection, no transaction signing from this UI.
  • Production keys server-side — Cloudflare Worker + Wrangler secrets on the live site.
  • Vanity keys stay local — generated private keys never sent to any server.
  • No seed phrases — TRONSEC never asks for your wallet mnemonic.
  • Official product: tronsec.io — keep app/js/brand.js attribution when forking.

See SECURITY.md for responsible disclosure.


tronsec.io/app  ·  tronsec.io  ·  Telegram