competitor-trial-monitor Security Report — Trusted | ClawSafe

5 /100

competitor-trial-monitor

Monitor competitor clinical trial progress and alert on market risks

Benign clinical trial monitoring tool with minor documentation inconsistencies but no security concerns in actual code.

Skill Namecompetitor-trial-monitor

Duration27.6s

Enginepi

✓

Safe to install

No blocking action needed. Optionally fix SKILL.md to match the actual dependencies used (urllib vs requests).

Findings 1 items

Severity	Finding	Location
Low	Declared dependencies not used in code Doc Mismatch SKILL.md instructs 'pip install requests python-dateutil' but the actual code uses only Python stdlib (urllib.request, datetime). This is a documentation inaccuracy rather than malicious deception, as the code is self-contained. `pip install requests python-dateutil` → Update SKILL.md to remove dependency declaration or verify if dependencies are planned for future use.	`SKILL.md:105`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Writes to ~/.openclaw/competitor-trial-monitor/{watchlist.json,history/,alerts/}
Network	`READ`	`READ`	✓ Aligned	GET requests only to https://clinicaltrials.gov/api/v2/studies/{nct_id}
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution found
Environment	`NONE`	`NONE`	—	No os.environ access, no credential harvesting

1 findings

🔗

Medium External URL 外部 URL

https://clinicaltrials.gov/api/v2/studies

scripts/main.py:25

2 files · 16.8 KB · 557 lines

Python 1f · 377L Markdown 1f · 180L

├─ ▾ 📁 scripts

│ └─ 🐍 main.py Python 377L · 12.0 KB

└─ 📝 SKILL.md Markdown 180L · 4.8 KB

Package	Version	Source	Known Vulns	Notes
`requests`	`unpinned`	pip	No	Listed in SKILL.md but not actually used in scripts/main.py (stdlib urllib is used instead)
`python-dateutil`	`unpinned`	pip	No	Listed in SKILL.md but not actually used — date arithmetic is done with stdlib datetime

✓ No subprocess or shell execution — uses only stdlib urllib for HTTP

✓ No credential harvesting — does not access os.environ, .env, ~/.ssh, ~/.aws, or similar sensitive paths

✓ No obfuscation — all code is plain Python, no base64, no eval, no atob

✓ No data exfiltration — only outbound read to public API, no beaconing or C2 behavior

✓ No supply chain risk — no third-party packages imported, stdlib only

✓ Filesystem access is scoped to designated data directory (~/.openclaw/competitor-trial-monitor/)

✓ Input validation present — NCT ID passed via argparse

✓ No hidden functionality — SKILL.md accurately describes the feature scope