medical-conference-search 安全扫描报告 — 可信 | ClawSafe

5 /100

medical-conference-search

Search medical conference and presentation databases via the NoahAI API. Supports conference search, presentation search, and chained search workflows.

This is a straightforward medical conference search skill that makes HTTPS API calls to a single documented endpoint using a declared Bearer token — no malicious behavior detected.

技能名称medical-conference-search

分析耗时34.2s

引擎pi

✓

可以安装

No action required. Optionally pin the requests library to a specific version to reduce supply-chain risk.

安全发现 2 项

严重性	安全发现	位置
低危	Unpinned 'requests' dependency The code imports requests without a version constraint. pip install requests without pinning could resolve to a vulnerable version. The import error handling on line 14 shows a helpful install message but does not enforce a safe version. `import requests` → Add a version constraint: pip install requests>=2.31.0	`scripts/search_chained.py:14`
提示	Unused import in all scripts urllib.parse.urljoin is imported in all three scripts but never used. This is harmless dead code. `from urllib.parse import urljoin` → Remove the unused import for cleaner code	`scripts/search_chained.py:13`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	All three scripts POST to https://www.noah.bio/api/ with a Bearer token (SKILL.m…
环境变量	`READ`	`READ`	✓ 一致	os.environ.get('NOAH_API_TOKEN') accessed in all three scripts; declared in SKIL…
文件系统	`NONE`	`WRITE`	✓ 一致	--output flag writes to disk (search_chained.py line 310, search_conferences.py …
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell=True calls found in any script
技能调用	`NONE`	`NONE`	—	Scripts do not invoke other skills
剪贴板	`NONE`	`NONE`	—	No clipboard access detected
浏览器	`NONE`	`NONE`	—	No browser automation detected
数据库	`NONE`	`NONE`	—	No database access detected

3 项发现

🔗

中危外部 URL 外部 URL

https://noah.bio

SKILL.md:339

🔗

中危外部 URL 外部 URL

https://www.noah.bio/api/

SKILL.md:345

🔗

中危外部 URL 外部 URL

https://www.noah.bio

scripts/search_chained.py:40

目录结构

4 文件 · 39.9 KB · 1085 行

Python 3f · 736L Markdown 1f · 349L

├─ ▾ 📁 scripts

│ ├─ 🐍 search_chained.py Python 319L · 11.6 KB

│ ├─ 🐍 search_conferences.py Python 208L · 7.3 KB

│ └─ 🐍 search_presentations.py Python 209L · 7.4 KB

└─ 📝 SKILL.md Markdown 349L · 13.5 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Version not pinned — floating dependency could resolve to a vulnerable version in some environments

安全亮点

✓ All network activity is confined to a single documented HTTPS endpoint: https://www.noah.bio/api/

✓ Bearer token is read from environment (NOAH_API_TOKEN), never hardcoded or exfiltrated

✓ No shell execution (subprocess, os.system, shell=True) in any script

✓ No credential harvesting — only the declared API token is accessed

✓ No sensitive local path access (~/.ssh, ~/.aws, .env files)

✓ No base64 decode/eval/exec patterns present

✓ No remote script download (curl|bash, wget|sh) or runtime installs

✓ Documentation fully matches implementation behavior — doc-to-code alignment is strong

✓ Scripts include proper error handling (ConnectionError, TimeoutError, HTTPError) with informative messages

✓ HTTP redirects are explicitly blocked (allow_redirects=False) to prevent redirect-based credential leakage

✓ The --output file write capability is explicitly documented in SKILL.md