patent-search Security Report — Low Risk | ClawSafe

25 /100

patent-search

使用9235.net专利检索API进行专利搜索、查看详情、下载和分析

A legitimate patent search skill with minor documentation gaps and one undeclared capability (subprocess usage in test_api.py), but no confirmed malicious behavior found.

Skill Namepatent-search

Duration57.2s

Enginepi

✓

Safe to install

Consider declaring subprocess usage in SKILL.md metadata if intentional, and remove the hardcoded API token from config.json. The skill otherwise functions as documented for patent search operations.

Findings 5 items

Severity	Finding	Location
Medium	Undeclared subprocess execution Doc Mismatch test_api.py uses subprocess.run() to execute shell command 'openclaw config get' which is not declared in SKILL.md. SKILL.md metadata shows requires.bins only includes python3, not openclaw. `subprocess.run(['openclaw', 'config', 'get', 'skills.entries.patent-search.apiKey'], capture_output=True, text=True, timeout=5)` → Declare shell access in SKILL.md metadata if subprocess usage is intentional, or remove the subprocess call from test_api.py	`test_api.py:17`
Medium	Undeclared sensitive file access Doc Mismatch Multiple analysis scripts (accurate_trend.py, analyze_applicant.py, analyze_trend.py, trend_alternative.py) read from ~/.openclaw/openclaw.json to extract API tokens. This is a form of credential access not declared in SKILL.md. `config_path = '/Users/xiaoxiao/.openclaw/openclaw.json'` → Declare filesystem:READ access for credential retrieval or refactor to use only environment variables	`accurate_trend.py:18`
Low	Environment variable enumeration Sensitive Access check_env.py iterates through os.environ.items() and prints all PATENT_* prefixed environment variables, potentially exposing sensitive configuration data. `for key, value in os.environ.items(): if key.startswith('PATENT_'): print(...)` → Limit output to metadata without exposing actual values, or treat this as a diagnostic-only tool with restricted access	`check_env.py:13`
Low	Unpinned dependency Supply Chain requests library is installed without version pinning (pip install requests), which could lead to unexpected behavior if a malicious version is published. `{"package": "requests", "label": "安装requests库"}` → Pin to a specific version: requests==2.31.0	`SKILL.md:12`
Info	Hardcoded API token Doc Mismatch config.json contains what appears to be a hardcoded API token. While this may be for testing, it represents a credential exposure risk. `"token": "549c4760542074d4c116e554c50a131a1f27ca1d"` → Remove hardcoded tokens; use environment variables or .env file excluded from version control	`config.json:3`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	All network calls use requests.get/post to 9235.net API
Shell	`NONE`	`WRITE`	✗ Violation	test_api.py:17 - subprocess.run(['openclaw', 'config', 'get', ...])
Filesystem	`NONE`	`READ`	✗ Violation	accurate_trend.py:18, analyze_applicant.py:18, etc. - read ~/.openclaw/openclaw.…
Environment	`NONE`	`READ`	✗ Violation	patent_api.py:33 reads PATENT_API_TOKEN; check_env.py iterates os.environ

17 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/OpenClaw-Skill-blue.svg

README.md:3

🔗

Medium External URL 外部 URL

https://clawhub.com

README.md:3

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README.md:4

🔗

Medium External URL 外部 URL

https://opensource.org/licenses/MIT

README.md:4

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/Python-3.7+-green.svg

README.md:5

🔗

Medium External URL 外部 URL

https://www.python.org

README.md:5

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/Multi--Language-EN%2FZH-orange.svg

README.md:6

🔗

Medium External URL 外部 URL

https://www.9235.net/api/open

README.md:44

🔗

Medium External URL 外部 URL

https://www.9235.net

README.md:175

🔗

Medium External URL 外部 URL

https://www.9235.net/api

SKILL.md:78

🔗

Medium External URL 外部 URL

https://www.9235.net/api/interface.html

SKILL.md:484

🔗

Medium External URL 外部 URL

https://www.9235.net/help/index.html

SKILL.md:485

🔗

Medium External URL 外部 URL

https://www.9235.net/api/s

accurate_trend.py:55

🔗

Medium External URL 外部 URL

https://www.9235.net/api/analysis

analyze_trend.py:44

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai

main.py:108

🔗

Medium External URL 外部 URL

https://discord.com/invite/clawd

main.py:109

📧

Info Email 邮箱地址

[email protected]

README.md:180

File Tree

14 files · 114.1 KB · 3582 lines

Python 10f · 2746L Markdown 2f · 779L JSON 2f · 57L

├─ 🐍 accurate_trend.py Python 307L · 11.1 KB

├─ 🐍 analyze_applicant.py Python 281L · 9.9 KB

├─ 🐍 analyze_trend.py Python 243L · 8.2 KB

├─ 🐍 check_env.py Python 58L · 1.8 KB

├─ 📋 config.example.json JSON 45L · 1.1 KB

├─ 🔑 config.json ⚠ JSON 12L · 343 B

├─ 🐍 debug_api_response.py Python 159L · 5.5 KB

├─ 🐍 main.py Python 238L · 9.0 KB

├─ 🐍 patent_api.py Python 551L · 16.2 KB

├─ 🐍 patent_skill.py Python 538L · 21.4 KB

├─ 📝 README.md Markdown 294L · 5.9 KB

├─ 📝 SKILL.md Markdown 485L · 11.4 KB

├─ 🐍 test_api.py Python 89L · 2.6 KB

└─ 🐍 trend_alternative.py Python 282L · 9.6 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned - should specify version like requests==2.31.0

Security Positives

✓ Core functionality (patent search via 9235.net API) is legitimate and matches documentation

✓ No evidence of credential exfiltration or data theft

✓ No base64-encoded execution, reverse shells, or C2 communication

✓ No suspicious obfuscation techniques detected

✓ Network requests only go to legitimate API endpoint (9235.net)

✓ No supply chain attacks in dependencies (requests library is widely used)

Scan Report

Findings 5 items

File Tree

Dependencies 1 items

Security Positives