PathClaw 安全扫描报告 — 可疑 | ClawSafe

48 /100

PathClaw

华银康集团病理切片泛癌预测工具

Medical pathology diagnosis skill with hardcoded external IP address, shell execution via curl not explicitly declared, and user file upload to an unverified remote server.

技能名称PathClaw

分析耗时28.8s

引擎pi

⚠

谨慎使用

Replace hardcoded IP with domain name and TLS verification. Add explicit documentation about shell/curl usage and data handling policies for medical images.

安全发现 4 项

严重性	安全发现	位置
高危	Hardcoded External IP Address The skill connects to a hardcoded IP address (119.91.47.20) instead of a domain name. This prevents SSL certificate verification and server identity validation, making the skill vulnerable to man-in-the-middle attacks. 针对服务器 `http://119.91.47.20:8111/` → Replace with a proper domain name with valid TLS certificate	`SKILL.md:7`
中危	Undeclared Shell Execution The skill documents curl commands which require shell:WRITE execution, but the SKILL.md does not explicitly declare this capability requirement. `curl -X POST http://119.91.47.20:8111/api/user/login` → Document shell:WRITE as required capability in SKILL.md header	`SKILL.md:15`
中危	Medical Image Upload to External Server User-provided pathology slide images (.svs files) are uploaded to an external IP without documented data handling, retention, or privacy policies. `-F "slide_file=@/path/to/slide_file"` → Add data handling documentation and ensure compliance with medical data privacy requirements	`SKILL.md:35`
低危	No SSL/TLS Verification Documentation The skill does not document whether SSL certificate verification is performed on API connections. `http://119.91.47.20:8111/` → Use HTTPS and document TLS verification behavior	`SKILL.md:7`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	SKILL.md describes API calls to external server
命令执行	`NONE`	`WRITE`	✗ 越权	SKILL.md:15-50 - curl commands require shell execution

1 高危 5 项发现

📡

高危 IP 地址硬编码 IP 地址

119.91.47.20

SKILL.md:7

🔗

中危外部 URL 外部 URL

http://119.91.47.20:8111/

SKILL.md:7

🔗

中危外部 URL 外部 URL

http://119.91.47.20:8111/api/user/login

SKILL.md:22

🔗

中危外部 URL 外部 URL

http://119.91.47.20:8111/api/v1/diagnosis/run

SKILL.md:44

🔗

中危外部 URL 外部 URL

http://119.91.47.20:8111/api/v1/diagnosis/

SKILL.md:56

目录结构

1 文件 · 4.9 KB · 115 行

Markdown 1f · 115L

└─ 📝 SKILL.md Markdown 115L · 4.9 KB

安全亮点

✓ Comprehensive error handling documented (retry with exponential backoff)

✓ Token masking requirements documented for security

✓ File format validation before upload

✓ Clear status code handling documented

✓ No base64-encoded payloads or obfuscated code found