中文 EN

Scan Report

Scan New Files

High Risk — Risk Score 65/100
Last scan:17 hr ago Rescan
65 /100
face-analysis
中医面诊分析工具 (TCM Face Analysis Tool) - claims to only perform video-based health analysis
This TCM face-analysis skill contains hardcoded database credentials, undeclared database connectivity, and hidden token management functionality not documented in SKILL.md.
Skill Nameface-analysis
Duration58.5s
Enginepi
Do not install this skill
Remove all hardcoded credentials from config files, implement proper secret management, and update SKILL.md to accurately declare all database and token management capabilities.

Findings 5 items

Severity Finding Location
High
Hardcoded Database Credentials in config.yaml Credential Theft
The config.yaml file contains plaintext database credentials including username 'admin' and password 'Smyx2025@db' connecting to MySQL at 172.31.16.2:3306. These credentials are committed to the codebase.
database-url: mysql+pymysql://admin:Smyx2025@[email protected]:3306/health-cloud?charset=utf8mb4
→ Remove hardcoded credentials; use environment variables or a secrets manager.
 skills/scripts/common/config.yaml:4
High
Hardcoded Feishu App Secret Credential Theft
The Feishu (Lark) application secret 'zYJMyYcB4kIF5uPCwFACBdmvbr3JkK8r' is hardcoded in config.yaml. This secret can be used to authenticate with Feishu APIs.
feishu-app--secret: zYJMyYcB4kIF5uPCwFACBdmvbr3JkK8r
→ Remove hardcoded secret; use environment variables for authentication tokens.
 skills/scripts/common/config.yaml:15
High
Undeclared Database Connectivity and Token Management Doc Mismatch
The skill SKILL.md only documents video face analysis, but the actual code implements full CRUD operations on a 'sys_user' database table that stores user tokens and open_tokens. This functionality is completely hidden from documentation.
class User(Base): __tablename__ = "sys_user" id = Column(String(32), primary_key=True) token = Column(String(500)) open_token = Column(String(1000))
→ Update SKILL.md to document all database operations and token management features, or remove this undeclared functionality.
 skills/scripts/common/dao.py:54
High
Database Passwords in Test/Dev Configs with Special Characters Supply Chain
config-test.yaml and config-dev.yaml contain database credentials 'remoteuser:qA{tov-89atz0>opvim&!)[email protected]:3306' which may indicate password complexity but credentials are still hardcoded.
database-url: mysql+pymysql://remoteuser:qA{tov-89atz0>opvim&!)[email protected]:3306/health-cloud
→ Move all credentials to environment variables or a secrets manager.
 skills/scripts/common/config-test.yaml:1
Medium
Environment Variable Reading for User Identification Sensitive Access
The code reads OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, and FEISHU_OPEN_ID from environment variables for user identification, which is legitimate but worth noting for audit purposes.
openclaw_sender_open_id = os.environ.get("OPENCLAW_SENDER_OPEN_ID")
→ Document what user identification data is collected and how it is used.
 skills/scripts/common/config.py:195
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned scripts/face_analysis.py - file upload via multipart/form-data
Network READ WRITE ✗ Violation skills/scripts/common/dao.py:45 - database WRITE to MySQL server
Database NONE WRITE ✗ Violation skills/scripts/common/dao.py:54-180 - Full CRUD operations on sys_user table
2 High 9 findings
🔑
High API Key 疑似硬编码凭证
API_KEY = "your-api-key-here"
README.md:11
📡
High IP Address 硬编码 IP 地址
172.31.16.2
skills/scripts/common/config.yaml:4
🔗
Medium External URL 外部 URL
https://your-api-server.com/api/v1/face-analysis
README.md:10
🔗
Medium External URL 外部 URL
http://livemonitortest.lifeemergence.com/smyx-open-api
skills/scripts/common/config-dev.yaml:4
🔗
Medium External URL 外部 URL
https://healthtest.lifeemergence.com/jeecg-boot
skills/scripts/common/config-dev.yaml:5
🔗
Medium External URL 外部 URL
http://192.168.1.234:8080/jeecg-boot
skills/scripts/common/config-dev.yaml:6
🔗
Medium External URL 外部 URL
https://open.lifeemergence.com/smyx-open-api
skills/scripts/common/config.yaml:5
🔗
Medium External URL 外部 URL
https://lifeemergence.com/jeecg-boot
skills/scripts/common/config.yaml:6
📧
Info Email 邮箱地址
[email protected]
skills/scripts/common/config-dev.yaml:3

File Tree

21 files · 76.2 KB · 2036 lines
Python 12f · 1590L Markdown 3f · 286L Text 1f · 127L YAML 5f · 33L
├─ 📁 references
│ └─ 📝 api_doc.md Markdown 69L · 1.8 KB
├─ 📁 scripts
│ ├─ 🐍 __init__.py Python 0 B
│ ├─ 🐍 api_service.py Python 62L · 2.0 KB
│ ├─ 🐍 config.py Python 45L · 1.6 KB
│ ├─ 📋 config.yaml YAML 1L · 4 B
│ ├─ 🐍 face_analysis.py Python 221L · 8.3 KB
│ └─ 🐍 skill.py Python 225L · 9.5 KB
├─ 📁 skills
│ └─ 📁 scripts
│ └─ 📁 common
│ ├─ 🐍 __init__.py Python 8L · 151 B
│ ├─ 🐍 api_service.py Python 98L · 2.7 KB
│ ├─ 🐍 base.py Python 25L · 440 B
│ ├─ 📋 config-dev.yaml YAML 9L · 511 B
│ ├─ 📋 config-prod.yaml YAML 0 B
│ ├─ 📋 config-test.yaml YAML 6L · 323 B
│ ├─ 🐍 config.py Python 185L · 7.9 KB
│ ├─ 📋 config.yaml YAML 17L · 648 B
│ ├─ 🐍 dao.py Python 394L · 14.1 KB
│ └─ 🐍 util.py Python 327L · 14.1 KB
├─ 🐍 __init__.py Python 0 B
├─ 📝 README.md Markdown 86L · 2.5 KB
├─ 📄 requirements.txt Text 127L · 2.3 KB
└─ 📝 SKILL.md Markdown 131L · 7.5 KB

Dependencies 4 items

PackageVersionSourceKnown VulnsNotes
requests 2.32.5 pip No Version pinned - good practice
sqlalchemy 2.0.46 pip No Version pinned - good practice
pymysql 1.1.2 pip No Version pinned - good practice
cryptography 3.4.8 pip No Version not latest but stable release

Security Positives

✓ No shell execution (subprocess) detected - skill uses only Python libraries
✓ No base64-encoded payloads or obfuscation techniques observed
✓ No direct IP address network requests to suspicious endpoints
✓ No attempts to access ~/.ssh, ~/.aws, or other sensitive home directory files
✓ No curl|bash or wget|sh remote script execution patterns
✓ Legitimate API-based face analysis functionality as documented