ITSM 工单自动提交技能 Security Report — Low Risk | ClawSafe

22 /100

ITSM 工单自动提交技能

自动提交 ITSM 工单到企业 IT 服务管理系统（头程询价、尾程询价、批次查询、问题反馈）

Legitimate ITSM ticket automation tool with minor security concerns: hardcoded default credentials and Windows path exposure, but no evidence of credential theft or malicious exfiltration.

Skill NameITSM 工单自动提交技能

Duration64.8s

Enginepi

✓

Safe to install

Replace hardcoded credentials with environment variable usage only. Remove hardcoded Windows Administrator path. Pin dependency versions in requirements.txt. Consider documenting the shell:WRITE capability explicitly in SKILL.md.

Findings 5 items

Severity	Finding	Location
Medium	Hardcoded default credentials in source code Credential Theft submit-itsm.py contains hardcoded username ('500525') and password ('Xy@123456') in the CONFIG dictionary. While these serve as defaults and can be overridden via environment variables or command-line arguments, storing plaintext credentials in source code is a significant security risk. If the repo is exposed, these credentials could be reused. `'username': '500525', 'password': 'Xy@123456',` → Remove hardcoded credentials from CONFIG. Use environment variables as the sole source of credentials with no defaults. Example: CONFIG['username'] = os.environ.get('ITSM_USERNAME', '')	`submit-itsm.py:35`
Low	Hardcoded Windows path exposing internal username Sensitive Access The attachmentPath config contains a hardcoded Windows path 'C:\Users\Administrator\Desktop\30d5179fb6468e1643740a153838a9dd (1).jpeg' which reveals the Windows username 'Administrator'. This path may not exist on the user's system and exposes internal user details. `'attachmentPath': r'C:\Users\Administrator\Desktop\30d5179fb6468e1643740a153838a9dd (1).jpeg',` → Remove hardcoded attachmentPath or set it to an empty string/None. Allow users to specify attachment paths via environment variable or command-line argument only.	`submit-itsm.py:40`
Medium	Shell execution not declared in SKILL.md Priv Escalation start.sh executes shell commands including 'sudo apt-get install chromium-browser', 'pip install', and chromium-browser process management. The SKILL.md declares '零依赖' and describes system dependencies but does not explicitly declare shell:WRITE capability or document the sudo/apt operations. `sudo apt-get update -qq sudo apt-get install -y chromium-browser` → Update SKILL.md to explicitly declare shell:WRITE capability and document all system-level operations (apt-get, sudo, process management).	`start.sh:21`
Low	Unpinned Python dependency versions Supply Chain requirements.txt uses >= version specifiers (selenium>=4.0.0, requests>=2.28.0) without upper bounds. This allows pip to install any future version, including potentially compromised ones. While the risk is low for mainstream packages like selenium and requests, version pinning is a security best practice. `selenium>=4.0.0 requests>=2.28.0` → Pin exact versions or use ~> for compatible release pinning: selenium~=4.0.0, requests~=2.28.0	`requirements.txt:1`
Low	Remote get-pip.py download as fallback Supply Chain start.sh downloads get-pip.py from bootstrap.pypa.io as a fallback pip installation method. While bootstrap.pypa.io is a legitimate Python infrastructure URL, downloading and executing pip installation scripts from the internet is a risk if the URL is compromised or redirected. `curl -sS "$GET_PIP_URL" -o "$GET_PIP_FILE"` → Remove the remote get-pip.py download fallback. Rely on ensurepip or system package managers instead.	`start.sh:89`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Screenshots + attachment upload; declared in SKILL.md
Network	`READ`	`READ`	✓ Aligned	Accesses itsm.westmonth.com; declared in SKILL.md
Shell	`NONE`	`WRITE`	✗ Violation	start.sh:21-30 apt-get update/install, start.sh:53-89 pip install with fallback …
Environment	`READ`	`READ`	✓ Aligned	Accepts ITSM_USERNAME, ITSM_PASSWORD, etc. from env vars
Browser	`WRITE`	`WRITE`	✓ Aligned	Uses Selenium+CDP to control chromium-browser; declared

2 findings

🔗

Medium External URL 外部 URL

https://itsm.westmonth.com/#/create

start.sh:13

🔗

Medium External URL 外部 URL

https://bootstrap.pypa.io/get-pip.py

start.sh:89

File Tree

6 files · 31.3 KB · 865 lines

Python 1f · 493L Shell 2f · 209L Markdown 1f · 148L JSON 1f · 13L Text 1f · 2L

├─ 🔧 close.sh Shell 14L · 340 B

├─ 📋 package.json JSON 13L · 381 B

├─ 📄 requirements.txt Text 2L · 35 B

├─ 📝 SKILL.md Markdown 148L · 3.1 KB

├─ 🔧 start.sh Shell 195L · 6.6 KB

└─ 🐍 submit-itsm.py Python 493L · 20.9 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`selenium`	`>=4.0.0`	pip	No	Version not pinned; only lower bound specified
`requests`	`>=2.28.0`	pip	No	Version not pinned; only lower bound specified

Security Positives

✓ No credential exfiltration: hardcoded credentials are only used for ITSM login form submission, not sent to third parties

✓ No obfuscation detected: all code is plain text, no base64/eval/atob patterns

✓ No unauthorized sensitive path access: no access to ~/.ssh, ~/.aws, or .env files

✓ No C2 communication or data theft indicators

✓ Screenshots are saved locally only, not exfiltrated

✓ Uses legitimate, documented ITSM portal (itsm.westmonth.com)

✓ Dependency requests is a standard HTTP library, not a data exfiltration tool

✓ Selenium+CDP is a standard browser automation approach

Scan Report

Findings 5 items

File Tree

Dependencies 2 items

Security Positives