Name: improvement-discriminator Security Report — Low Risk | ClawSafe
Item: improvement-discriminator
Rating: 80
Author: ClawSafe

This report was generated in Chinese. Some content may be in Chinese.

20 /100

improvement-discriminator

对 AI Agent 技能改进候选进行多维度评分和排序，支持 LLM-as-Judge 和多审阅者盲审

合法的 AI 技能评分引擎，存在硬编码演示密码但不影响生产安全

Skill Nameimprovement-discriminator

Duration59.4s

Enginepi

ClawHub improvement-discriminator v1.1.0 by lanyasheng

📥 26

ClawHub Verdict Suspicious dynamic_code_executionllm_suspiciousvt_suspicious

✓

Safe to install

清理测试文件中的硬编码凭证，使用环境变量替代演示密码

Findings 2 items

Severity	Finding	Location
Low	测试文件包含硬编码演示密码 Supply Chain tests/test_p2a_integration.py:79 使用明文 'demo_password_123' 作为测试数据的加密密钥 `key = hashlib.sha256("demo_password_123".encode()).digest()` → 将测试密码移至环境变量或使用 pytest fixture 管理	`tests/test_p2a_integration.py:68`
Low	演示密码命名暗示生产用途 Doc Mismatch interfaces/critic_engine.py:685 的 'DEMO_ONLY_NOT_FOR_PRODUCTION' 命名清晰表明为演示用，但与安全关键字匹配 `password="DEMO_ONLY_NOT_FOR_PRODUCTION"` → 虽然命名正确标识为演示，但建议使用环境变量统一管理	`interfaces/critic_engine.py:685`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	scripts/score.py: 从 JSON 文件读取候选数据
Network	`NONE`	`READ`	✓ Aligned	interfaces/llm_judge.py: 通过 SDK 调用 Claude/OpenAI API
Shell	`NONE`	`NONE`	—	无 shell 执行代码

2 High 2 findings

🔑

High API Key 疑似硬编码凭证

password="DEMO_ONLY_NOT_FOR_PRODUCTION"

interfaces/critic_engine.py:685

🔑

High API Key 疑似硬编码凭证

password="demo_password_123"

tests/test_p2a_integration.py:79

File Tree

14 files · 203.1 KB · 5900 lines

Python 12f · 5816L Markdown 2f · 84L

├─ ▾ 📁 interfaces

│ ├─ 🐍 __init__.py Python 49L · 1.1 KB

│ ├─ 🐍 assertions.py Python 569L · 17.4 KB

│ ├─ 🐍 critic_engine.py Python 1144L · 40.0 KB

│ ├─ 🐍 external_regression.py Python 672L · 21.2 KB

│ ├─ 🐍 human_review.py Python 638L · 20.6 KB

│ └─ 🐍 llm_judge.py Python 240L · 9.2 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 rubric_evidence.py Python 289L · 11.2 KB

│ └─ 🐍 score.py Python 675L · 25.7 KB

├─ ▾ 📁 tests

│ ├─ 🐍 test_llm_judge.py Python 417L · 15.3 KB

│ ├─ 🐍 test_p1_integration.py Python 344L · 10.6 KB

│ ├─ 🐍 test_p2a_integration.py Python 465L · 15.5 KB

│ └─ 🐍 test_score.py Python 314L · 12.0 KB

├─ 📝 README.md Markdown 3L · 88 B

└─ 📝 SKILL.md Markdown 81L · 3.1 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`anthropic`	`*`	pip	No	LLM Judge Claude 后端依赖，用于 API 调用
`openai`	`*`	pip	No	LLM Judge OpenAI 后端依赖

Security Positives

✓ 代码结构清晰，模块职责明确

✓ LLM Judge 支持多后端（Claude/OpenAI/mock）

✓ 包含安全关键字检测逻辑（scripts/score.py:402）

✓ 无网络请求外泄敏感数据

✓ 无 shell 注入风险

✓ 无凭证收割或外传行为

Scan Report

Findings 2 items

File Tree

Dependencies 2 items

Security Positives