中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:20 小时前 重新扫描
5 /100
competitor-trial-monitor
Monitor competitor clinical trial progress and alert on market risks
Benign clinical trial monitoring tool with minor documentation inconsistencies but no security concerns in actual code.
技能名称competitor-trial-monitor
分析耗时27.6s
引擎pi
可以安装
No blocking action needed. Optionally fix SKILL.md to match the actual dependencies used (urllib vs requests).

安全发现 1 项

严重性 安全发现 位置
低危
Declared dependencies not used in code 文档欺骗
SKILL.md instructs 'pip install requests python-dateutil' but the actual code uses only Python stdlib (urllib.request, datetime). This is a documentation inaccuracy rather than malicious deception, as the code is self-contained.
pip install requests python-dateutil
→ Update SKILL.md to remove dependency declaration or verify if dependencies are planned for future use.
 SKILL.md:105
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 Writes to ~/.openclaw/competitor-trial-monitor/{watchlist.json,history/,alerts/}
网络访问 READ READ ✓ 一致 GET requests only to https://clinicaltrials.gov/api/v2/studies/{nct_id}
命令执行 NONE NONE No subprocess, os.system, or shell execution found
环境变量 NONE NONE No os.environ access, no credential harvesting
1 项发现
🔗
中危 外部 URL 外部 URL
https://clinicaltrials.gov/api/v2/studies
scripts/main.py:25

目录结构

2 文件 · 16.8 KB · 557 行
Python 1f · 377L Markdown 1f · 180L
├─ 📁 scripts
│ └─ 🐍 main.py Python 377L · 12.0 KB
└─ 📝 SKILL.md Markdown 180L · 4.8 KB

依赖分析 2 项

包名版本来源已知漏洞备注
requests unpinned pip Listed in SKILL.md but not actually used in scripts/main.py (stdlib urllib is used instead)
python-dateutil unpinned pip Listed in SKILL.md but not actually used — date arithmetic is done with stdlib datetime

安全亮点

✓ No subprocess or shell execution — uses only stdlib urllib for HTTP
✓ No credential harvesting — does not access os.environ, .env, ~/.ssh, ~/.aws, or similar sensitive paths
✓ No obfuscation — all code is plain Python, no base64, no eval, no atob
✓ No data exfiltration — only outbound read to public API, no beaconing or C2 behavior
✓ No supply chain risk — no third-party packages imported, stdlib only
✓ Filesystem access is scoped to designated data directory (~/.openclaw/competitor-trial-monitor/)
✓ Input validation present — NCT ID passed via argparse
✓ No hidden functionality — SKILL.md accurately describes the feature scope