pharma-ai 安全扫描报告 — 可信 | ClawSafe

5 /100

pharma-ai

智能药物发现AI助手，提供分子毒性预测、ADMET评估和虚拟筛选功能

PharmaAI is a legitimate drug discovery assistant using RDKit/scikit-learn for molecular toxicity prediction with no malicious behavior detected. Shell execution is documented and necessary for ML integration.

技能名称pharma-ai

分析耗时44.4s

引擎pi

✓

可以安装

Skill is safe for use. Consider pinning Python dependency versions for better supply chain hygiene.

安全发现 2 项

严重性	安全发现	位置
低危	Unpinned Python dependencies 供应链 requirements.txt uses >= version specifiers without upper bounds, allowing potentially incompatible versions to be installed `rdkit>=2023.0.0` → Pin exact versions: rdkit==2023.9.0	`python-core/requirements.txt:1`
提示	Missing screen.py implementation 文档欺骗 python-bridge/index.ts calls virtualScreen which references a 'screen' script that does not exist in python-core/ `await callPython('screen', {...})` → Either implement screen.py or remove the virtualScreen export	`src/python-bridge/index.ts:80`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	predict.py loads models from MODELS_DIR
网络访问	`NONE`	`NONE`	—	No network calls in codebase
命令执行	`WRITE`	`WRITE`	✓ 一致	python-bridge/index.ts:17 spawns python3 subprocess
环境变量	`NONE`	`NONE`	—	No os.environ access for sensitive data
技能调用	`NONE`	`NONE`	—	Standard skill interface
剪贴板	`NONE`	`NONE`	—	Not used
浏览器	`NONE`	`NONE`	—	Not used
数据库	`NONE`	`NONE`	—	Not used

6 项发现

🔗

中危外部 URL 外部 URL

https://clawhub.com

HEADLESS_LOGIN.md:13

🔗

中危外部 URL 外部 URL

https://clawhub.com/settings/tokens

HEADLESS_LOGIN.md:59

🔗

中危外部 URL 外部 URL

https://docs.clawhub.com

HEADLESS_LOGIN.md:122

🔗

中危外部 URL 外部 URL

https://discord.gg/clawd

HEADLESS_LOGIN.md:123

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai/skills

PUBLISH_GUIDE.md:134

📧

提示邮箱邮箱地址

[email protected]

HEADLESS_LOGIN.md:121

目录结构

12 文件 · 22.5 KB · 957 行

Markdown 4f · 444L TypeScript 4f · 294L Python 1f · 163L JSON 2f · 52L Text 1f · 4L

├─ ▾ 📁 python-core

│ ├─ 🐍 predict.py Python 163L · 4.8 KB

│ └─ 📄 requirements.txt Text 4L · 64 B

├─ ▾ 📁 src

│ ├─ ▾ 📁 commands

│ │ └─ 📜 predict.ts TypeScript 77L · 2.2 KB

│ ├─ ▾ 📁 python-bridge

│ │ └─ 📜 index.ts TypeScript 112L · 2.4 KB

│ ├─ ▾ 📁 types

│ │ └─ 📜 index.ts TypeScript 47L · 920 B

│ └─ 📜 index.ts TypeScript 58L · 1.3 KB

├─ 📝 HEADLESS_LOGIN.md Markdown 126L · 2.8 KB

├─ 📋 package.json JSON 34L · 762 B

├─ 📝 PUBLISH_GUIDE.md Markdown 139L · 2.9 KB

├─ 📝 README.md Markdown 70L · 1.4 KB

├─ 📝 SKILL.md Markdown 109L · 2.5 KB

└─ 📋 tsconfig.json JSON 18L · 460 B

依赖分析 4 项

包名	版本	来源	已知漏洞	备注
`rdkit`	`>=2023.0.0`	pip	否	Version not pinned
`scikit-learn`	`>=1.3.0`	pip	否	Version not pinned
`numpy`	`>=1.24.0`	pip	否	Version not pinned
`joblib`	`>=1.3.0`	pip	否	Version not pinned

安全亮点

✓ No network egress or C2 communication detected

✓ No credential harvesting or sensitive data access

✓ No obfuscated code or base64 execution

✓ Shell execution (python3 subprocess) is documented and necessary for ML integration

✓ No curl|bash or remote script execution

✓ File access limited to local model directory

✓ Clean, well-structured pharmaceutical ML codebase