scnet-chat Security Report — Trusted | ClawSafe

5 /100

scnet-chat

SCNet 超算平台管理工具 - 缓存管理、区域切换、用户信息查询、作业管理和文件管理

This is a legitimate Python CLI tool for managing the SCNet supercomputing platform. All functionality is well-documented, subprocess calls execute only internal project scripts, network requests target only official SCNet API endpoints, and there are no signs of credential harvesting, data exfiltration, or malicious behavior.

Skill Namescnet-chat

Duration36.9s

Enginepi

✓

Safe to install

This skill is safe to use. Consider pinning aiohttp to a specific version in production environments for better dependency stability.

Findings 3 items

Severity	Finding	Location
Low	Shell execution declared in SECURITY.md but not SKILL.md subprocess.run is used internally but only for calling project scripts (scripts/job.py, scripts/user.py, etc.), not arbitrary shell commands. This is documented in SECURITY.md. `subprocess.run(['python', str(scripts/job.py), ...])` → Consider adding subprocess usage to SKILL.md for transparency, though usage is legitimate	`SKILL.md:1`
Low	aiohttp dependency not version pinned requirements.txt is not present and aiohttp is installed without version constraints. While this is acceptable for optional performance enhancement, pinning versions is best practice. `pip install aiohttp` → Consider using pip install aiohttp>=3.7.0 for better reproducibility	`SKILL.md:100`
Info	Comprehensive SECURITY.md documentation The project includes detailed security documentation explaining all potentially suspicious code patterns (subprocess, base64, network requests) with legitimate justifications. `Security documentation exists with full explanations` → No action needed - this is a positive security indicator	`SECURITY.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md declares config and cache file access
Network	`READ`	`READ`	✓ Aligned	All requests to api.scnet.cn and www.scnet.cn APIs
Shell	`NONE`	`WRITE`	✓ Aligned	subprocess used internally for script invocation (legitimate)

16 findings

🔗

Medium External URL 外部 URL

https://api.scnet.cn

SECURITY.md:57

🔗

Medium External URL 外部 URL

https://www.scnet.cn

SECURITY.md:58

🔗

Medium External URL 外部 URL

https://www.scnet.cn/ac/openapi/doc/

SECURITY.md:144

🔗

Medium External URL 外部 URL

https://tools.ietf.org/html/rfc7519

SECURITY.md:145

🔗

Medium External URL 外部 URL

https://www.scnet.cn/ui/console/index.html#/personal/auth-manage

SKILL.md:84

🔗

Medium External URL 外部 URL

https://www.scnet.cn/ac/openapi/doc/2.0/api/jobmanager/job.html

SKILL.md:238

🔗

Medium External URL 外部 URL

https://www.scnet.cn/ac/openapi/doc/2.0/api/safecertification/get-user-tokens-aksk.html

scripts/cache.py:295

🔗

Medium External URL 外部 URL

https://www.scnet.cn/ac/openapi/doc/2.0/api/safecertification/get-center-info.html

scripts/cache.py:335

🔗

Medium External URL 外部 URL

https://www.scnet.cn/ac/openapi/doc/2.0/api/jobmanager/list-cluster.html

scripts/cache.py:350

🔗

Medium External URL 外部 URL

https://www.scnet.cn/ac/openapi/doc/2.0/api/jobmanager/query-user-queue.html

scripts/cache.py:365

🔗

Medium External URL 外部 URL

https://www.scnet.cn/ac/openapi/doc/2.0/api/userresource/get-common-user.html

scripts/cache.py:380

🔗

Medium External URL 外部 URL

https://www.scnet.cn/ac/openapi/doc/2.0/api/jobmanager/query-user-quota.html

scripts/cache.py:395

🔗

Medium External URL 外部 URL

https://www.scnet.cn/ac/openapi/doc/2.0/api/jobmanager/query-used-time.html

scripts/cache.py:411

🔗

Medium External URL 外部 URL

https://ksefile.hpccube.com:65241/efile

scripts/cache.py:657

🔗

Medium External URL 外部 URL

https://ksefile.hpccube.com:65241

scripts/cache.py:657

🔗

Medium External URL 外部 URL

https://ksefile.hpccube.com:65241/

scripts/cache.py:658

File Tree

11 files · 266.3 KB · 7099 lines

Python 8f · 6400L Markdown 2f · 677L Env 1f · 22L

├─ ▾ 📁 scripts

│ ├─ 🐍 cache.py Python 1380L · 54.6 KB

│ ├─ 🐍 compat.py Python 41L · 1.3 KB

│ ├─ 📄 config.example.env Env 22L · 510 B

│ ├─ 🐍 config.py Python 164L · 5.4 KB

│ ├─ 🐍 file.py Python 821L · 30.1 KB

│ ├─ 🐍 job.py Python 1634L · 63.7 KB

│ ├─ 🐍 user.py Python 829L · 28.4 KB

│ └─ 🐍 utils.py Python 260L · 7.7 KB

├─ 🐍 scnet.py Python 1271L · 49.9 KB

├─ 📝 SECURITY.md Markdown 146L · 4.1 KB

└─ 📝 SKILL.md Markdown 531L · 20.8 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`aiohttp`	`>=3.7.0`	pip	No	Optional dependency for async performance; not version pinned

Security Positives

✓ All functionality is clearly documented in SKILL.md with extensive usage examples

✓ SECURITY.md provides comprehensive explanations for potentially suspicious code patterns

✓ Network requests are limited to official SCNet API domains (api.scnet.cn, www.scnet.cn)

✓ subprocess calls execute only internal project scripts, never user-provided commands

✓ No access to sensitive system directories (~/.ssh, ~/.aws, /etc/passwd, etc.)

✓ No evidence of data exfiltration, credential harvesting, or C2 communication

✓ No obfuscation, steganography, or hidden payloads detected

✓ Code is open source and well-structured

✓ JWT token decoding is standard practice for API authentication

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives