daily-literature 安全扫描报告 — 可信 | ClawSafe

5 /100

daily-literature

Automated daily literature search system for academic researchers

This is a legitimate academic literature search skill with no malicious behavior detected. The subprocess call to another skill is a documented inter-skill communication pattern for literature retrieval.

技能名称daily-literature

分析耗时33.6s

引擎pi

✓

可以安装

No action required. The skill is safe to use.

安全发现 1 项

严重性	安全发现	位置
低危	Minor documentation gap for subprocess usage 文档欺骗 The SKILL.md header does not explicitly declare shell:WRITE capability, though the main documentation body describes the search_lit_review function and inter-skill communication. This is a minor documentation style issue rather than malicious concealment. `env_vars section missing shell capability declaration` → Add allowed-tools declaration to SKILL.md header if subprocess is intentional	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	File read/write limited to workspace directory
网络访问	`READ`	`READ`	✓ 一致	API calls to PubMed, OpenAlex, Semantic Scholar, Unpaywall
命令执行	`NONE`	`WRITE`	✓ 一致	daily_literature_search.py:210 - subprocess.run() for inter-skill communication
环境变量	`READ`	`READ`	✓ 一致	Uses os.getenv() for documented API keys
技能调用	`NONE`	`READ`	✓ 一致	Invokes literature-review skill for search functionality

8 项发现

🔗

中危外部 URL 外部 URL

https://api.unpaywall.org/v2/

scripts/daily_literature_search.py:431

🔗

中危外部 URL 外部 URL

https://eutils.ncbi.nlm.nih.gov/entrez/eutils/elink.fcgi

scripts/daily_literature_search.py:498

🔗

中危外部 URL 外部 URL

https://www.ncbi.nlm.nih.gov/pmc/articles/

scripts/daily_literature_search.py:518

🔗

中危外部 URL 外部 URL

https://doi.org/

scripts/daily_literature_search.py:594

🔗

中危外部 URL 外部 URL

http://doi.org/

scripts/utils.py:191

🔗

中危外部 URL 外部 URL

https://doi.org/10.1038/s41375-026-02867-9

tests/test_classifier.py:61

🔗

中危外部 URL 外部 URL

https://doi.org/10.1007/s11899-026-00772-7

tests/test_classifier.py:76

📧

提示邮箱邮箱地址

[email protected]

README.md:131

目录结构

10 文件 · 76.8 KB · 2761 行

Python 5f · 1673L Markdown 2f · 622L Shell 1f · 274L YAML 1f · 178L Text 1f · 14L

├─ ▾ 📁 scripts

│ ├─ 🐍 analyze_uploaded.py Python 277L · 8.1 KB

│ ├─ 🐍 classifier.py Python 167L · 4.7 KB

│ ├─ 🐍 daily_literature_search.py Python 821L · 25.8 KB

│ └─ 🐍 utils.py Python 258L · 7.4 KB

├─ ▾ 📁 tests

│ └─ 🐍 test_classifier.py Python 150L · 5.2 KB

├─ 📋 config.example.yaml YAML 178L · 3.8 KB

├─ 🔧 install.sh Shell 274L · 6.9 KB

├─ 📝 README.md Markdown 373L · 7.9 KB

├─ 📄 requirements.txt Text 14L · 271 B

└─ 📝 SKILL.md Markdown 249L · 6.7 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`requests`	`>=2.28.0`	pip	否	Version pinned with minimum
`pyyaml`	`>=6.0`	pip	否	Version pinned with minimum

安全亮点

✓ Dependencies are version-pinned (requests>=2.28.0, pyyaml>=6.0)

✓ All network requests go to legitimate academic APIs (PubMed, OpenAlex, Semantic Scholar, Unpaywall)

✓ No credential exfiltration - API keys are used locally only for authentication

✓ File operations are scoped to workspace directory only

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files

✓ No obfuscation techniques (base64, eval, atob) detected

✓ No reverse shell, C2, or data theft patterns found

✓ No suspicious cron/scheduled task modifications

✓ Uses subprocess to invoke another legitimate skill (literature-review) for search functionality