cross-disciplinary-bridge-finder 安全扫描报告 — 低风险 | ClawSafe

15 /100

cross-disciplinary-bridge-finder

Identifies collaboration opportunities across fields, finds experts in complementary disciplines, translates methodologies between scientific domains, and builds interdisciplinary research teams.

Legitimate cross-disciplinary research tool with no malicious behavior; minor doc-code mismatch on declared permissions but no security impact.

技能名称cross-disciplinary-bridge-finder

分析耗时62.6s

引擎pi

✓

可以安装

This skill is safe to use. Consider updating SKILL.md to accurately reflect that only standard Python libraries are used (no shell access or file I/O tools required).

安全发现 2 项

严重性	安全发现	位置
低危	Permission declaration mismatch 文档欺骗 SKILL.md declares 'Read Write Bash Edit' tools but the actual implementation uses none of these. The code only imports standard Python libraries (argparse, json, os, re, sys, dataclasses, pathlib, uuid, datetime, numpy, networkx, sklearn) with no external tool usage. `allowed-tools: "Read Write Bash Edit"` → Update SKILL.md to accurately reflect used tools, or remove tool declarations if not applicable.	`SKILL.md:4`
低危	Dependencies not version-pinned 供应链 scripts/requirements.txt uses >= versioning for all dependencies without upper bounds, which could allow incompatible or compromised versions to be installed. `networkx>=2.8 numpy>=1.21 ...` → Pin versions with both minimum and maximum bounds, e.g., 'networkx>=2.8,<3.0'	`scripts/requirements.txt:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`NONE`	✓ 一致	SKILL.md:4 declares 'Write' but main.py only uses pathlib.Path for DATA_DIR crea…
命令执行	`WRITE`	`NONE`	✓ 一致	SKILL.md:4 declares 'Bash' but main.py contains no subprocess, os.system, or any…
网络访问	`NONE`	`NONE`	—	No network requests found in code
环境变量	`NONE`	`NONE`	—	No os.environ access or credential harvesting

目录结构

5 文件 · 44.3 KB · 1201 行

Python 1f · 1078L Markdown 1f · 102L Text 2f · 11L JSON 1f · 10L

├─ ▾ 📁 scripts

│ ├─ 🐍 main.py Python 1078L · 40.0 KB

│ └─ 📄 requirements.txt Text 7L · 98 B

├─ 📄 requirements.txt Text 4L · 35 B

├─ 📝 SKILL.md Markdown 102L · 3.9 KB

└─ 📋 tile.json JSON 10L · 259 B

依赖分析 7 项

包名	版本	来源	已知漏洞	备注
`networkx`	`>=2.8`	pip	否	Version not pinned with upper bound
`numpy`	`>=1.21`	pip	否	Version not pinned with upper bound
`pandas`	`>=1.3`	pip	否	Version not pinned with upper bound
`scikit-learn`	`>=1.0`	pip	否	Version not pinned with upper bound
`matplotlib`	`>=3.5`	pip	否	Version not pinned with upper bound
`seaborn`	`>=0.11`	pip	否	Version not pinned with upper bound
`openai`	`>=1.0`	pip	否	Imported but not actually used in code; version not pinned

安全亮点

✓ No shell execution (no subprocess, os.system, or command injection)

✓ No network requests or data exfiltration

✓ No credential harvesting or sensitive file access (~/.ssh, ~/.aws, .env)

✓ No obfuscation techniques (no base64, eval, or anti-analysis)

✓ No reverse shell or C2 communication patterns

✓ Legitimate academic research tool with clear, understandable logic

✓ Uses well-established libraries (networkx, numpy, scikit-learn) with no custom dangerous code