中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 22/100
上次扫描:21 小时前 重新扫描
22 /100
researchclaw
OpenClaw integration for AutoResearchClaw - fully autonomous research from idea to paper
ResearchClaw is a legitimate academic research automation tool with clear documentation. All shell, filesystem, and network operations are declared and necessary for the stated purpose of autonomous paper generation.
技能名称researchclaw
分析耗时40.8s
引擎pi
可以安装
Approve for use. The skill is well-documented and performs expected operations (git clone, pip install, API calls). Monitor for any future updates to the external GitHub repository that may introduce undeclared behavior.

安全发现 2 项

严重性 安全发现 位置
中危
External code download without integrity verification 供应链
The skill clones from https://github.com/aiming-lab/AutoResearchClaw.git without verifying commit hash or release signature. This could allow a compromised version to be installed if the repository is compromised.
git clone https://github.com/aiming-lab/AutoResearchClaw.git
→ Consider pinning to a specific release tag or commit hash for reproducible builds.
 SKILL.md:89
低危
pip install without version pinning 供应链
The pip install -e . command installs all dependencies from setup.py without version constraints. While common, this could lead to unexpected behavior if dependencies are updated.
pip install -e .
→ Consider documenting known-working dependency versions or recommending a requirements lock file.
 SKILL.md:91
资源类型声明权限推断权限状态证据
命令执行 WRITE WRITE ✓ 一致 SKILL.md:89 - git clone, pip install; SKILL.md:109 - researchclaw run
文件系统 WRITE WRITE ✓ 一致 SKILL.md:89 - Clone to ~/AutoResearchClaw; SKILL.md:93 - config file creation; S…
网络访问 READ READ ✓ 一致 SKILL.md:35-46 - OpenAI API calls; SKILL.md:180-185 - Literature APIs (OpenAlex,…
环境变量 READ READ ✓ 一致 SKILL.md:40 - Reads OPENAI_API_KEY from environment
1 项发现
🔗
中危 外部 URL 外部 URL
https://discord.gg/u4ksqW5P
SKILL.md:231

目录结构

1 文件 · 6.5 KB · 237 行
Markdown 1f · 237L
└─ 📝 SKILL.md Markdown 237L · 6.5 KB

依赖分析 1 项

包名版本来源已知漏洞备注
AutoResearchClaw unspecified GitHub (https://github.com/aiming-lab/AutoResearchClaw) Cloned from external repository without version pinning

安全亮点

✓ All shell, filesystem, and network operations are explicitly declared in SKILL.md
✓ No obfuscation, base64-encoded commands, or anti-analysis techniques detected
✓ No credential harvesting beyond necessary API keys (OPENAI_API_KEY)
✓ No data exfiltration or C2 communication patterns observed
✓ Tool is designed for legitimate academic research purposes
✓ No hidden instructions in HTML comments or documentation
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
✓ Documentation is comprehensive and matches the tool's stated purpose