patent-search 安全扫描报告 — 低风险 | ClawSafe

25 /100

patent-search

使用9235.net专利检索API进行专利搜索、查看详情、下载和分析

A legitimate patent search skill with minor documentation gaps and one undeclared capability (subprocess usage in test_api.py), but no confirmed malicious behavior found.

技能名称patent-search

分析耗时57.2s

引擎pi

✓

可以安装

Consider declaring subprocess usage in SKILL.md metadata if intentional, and remove the hardcoded API token from config.json. The skill otherwise functions as documented for patent search operations.

安全发现 5 项

严重性	安全发现	位置
中危	Undeclared subprocess execution 文档欺骗 test_api.py uses subprocess.run() to execute shell command 'openclaw config get' which is not declared in SKILL.md. SKILL.md metadata shows requires.bins only includes python3, not openclaw. `subprocess.run(['openclaw', 'config', 'get', 'skills.entries.patent-search.apiKey'], capture_output=True, text=True, timeout=5)` → Declare shell access in SKILL.md metadata if subprocess usage is intentional, or remove the subprocess call from test_api.py	`test_api.py:17`
中危	Undeclared sensitive file access 文档欺骗 Multiple analysis scripts (accurate_trend.py, analyze_applicant.py, analyze_trend.py, trend_alternative.py) read from ~/.openclaw/openclaw.json to extract API tokens. This is a form of credential access not declared in SKILL.md. `config_path = '/Users/xiaoxiao/.openclaw/openclaw.json'` → Declare filesystem:READ access for credential retrieval or refactor to use only environment variables	`accurate_trend.py:18`
低危	Environment variable enumeration 敏感访问 check_env.py iterates through os.environ.items() and prints all PATENT_* prefixed environment variables, potentially exposing sensitive configuration data. `for key, value in os.environ.items(): if key.startswith('PATENT_'): print(...)` → Limit output to metadata without exposing actual values, or treat this as a diagnostic-only tool with restricted access	`check_env.py:13`
低危	Unpinned dependency 供应链 requests library is installed without version pinning (pip install requests), which could lead to unexpected behavior if a malicious version is published. `{"package": "requests", "label": "安装requests库"}` → Pin to a specific version: requests==2.31.0	`SKILL.md:12`
提示	Hardcoded API token 文档欺骗 config.json contains what appears to be a hardcoded API token. While this may be for testing, it represents a credential exposure risk. `"token": "549c4760542074d4c116e554c50a131a1f27ca1d"` → Remove hardcoded tokens; use environment variables or .env file excluded from version control	`config.json:3`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	All network calls use requests.get/post to 9235.net API
命令执行	`NONE`	`WRITE`	✗ 越权	test_api.py:17 - subprocess.run(['openclaw', 'config', 'get', ...])
文件系统	`NONE`	`READ`	✗ 越权	accurate_trend.py:18, analyze_applicant.py:18, etc. - read ~/.openclaw/openclaw.…
环境变量	`NONE`	`READ`	✗ 越权	patent_api.py:33 reads PATENT_API_TOKEN; check_env.py iterates os.environ

17 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/OpenClaw-Skill-blue.svg

README.md:3

🔗

中危外部 URL 外部 URL

https://clawhub.com

README.md:3

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README.md:4

🔗

中危外部 URL 外部 URL

https://opensource.org/licenses/MIT

README.md:4

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/Python-3.7+-green.svg

README.md:5

🔗

中危外部 URL 外部 URL

https://www.python.org

README.md:5

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/Multi--Language-EN%2FZH-orange.svg

README.md:6

🔗

中危外部 URL 外部 URL

https://www.9235.net/api/open

README.md:44

🔗

中危外部 URL 外部 URL

https://www.9235.net

README.md:175

🔗

中危外部 URL 外部 URL

https://www.9235.net/api

SKILL.md:78

🔗

中危外部 URL 外部 URL

https://www.9235.net/api/interface.html

SKILL.md:484

🔗

中危外部 URL 外部 URL

https://www.9235.net/help/index.html

SKILL.md:485

🔗

中危外部 URL 外部 URL

https://www.9235.net/api/s

accurate_trend.py:55

🔗

中危外部 URL 外部 URL

https://www.9235.net/api/analysis

analyze_trend.py:44

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai

main.py:108

🔗

中危外部 URL 外部 URL

https://discord.com/invite/clawd

main.py:109

📧

提示邮箱邮箱地址

[email protected]

README.md:180

目录结构

14 文件 · 114.1 KB · 3582 行

Python 10f · 2746L Markdown 2f · 779L JSON 2f · 57L

├─ 🐍 accurate_trend.py Python 307L · 11.1 KB

├─ 🐍 analyze_applicant.py Python 281L · 9.9 KB

├─ 🐍 analyze_trend.py Python 243L · 8.2 KB

├─ 🐍 check_env.py Python 58L · 1.8 KB

├─ 📋 config.example.json JSON 45L · 1.1 KB

├─ 🔑 config.json ⚠ JSON 12L · 343 B

├─ 🐍 debug_api_response.py Python 159L · 5.5 KB

├─ 🐍 main.py Python 238L · 9.0 KB

├─ 🐍 patent_api.py Python 551L · 16.2 KB

├─ 🐍 patent_skill.py Python 538L · 21.4 KB

├─ 📝 README.md Markdown 294L · 5.9 KB

├─ 📝 SKILL.md Markdown 485L · 11.4 KB

├─ 🐍 test_api.py Python 89L · 2.6 KB

└─ 🐍 trend_alternative.py Python 282L · 9.6 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Version not pinned - should specify version like requests==2.31.0

安全亮点

✓ Core functionality (patent search via 9235.net API) is legitimate and matches documentation

✓ No evidence of credential exfiltration or data theft

✓ No base64-encoded execution, reverse shells, or C2 communication

✓ No suspicious obfuscation techniques detected

✓ Network requests only go to legitimate API endpoint (9235.net)

✓ No supply chain attacks in dependencies (requests library is widely used)