ITSM 工单自动提交技能安全扫描报告 — 低风险 | ClawSafe

22 /100

ITSM 工单自动提交技能

自动提交 ITSM 工单到企业 IT 服务管理系统（头程询价、尾程询价、批次查询、问题反馈）

Legitimate ITSM ticket automation tool with minor security concerns: hardcoded default credentials and Windows path exposure, but no evidence of credential theft or malicious exfiltration.

技能名称ITSM 工单自动提交技能

分析耗时64.8s

引擎pi

✓

可以安装

Replace hardcoded credentials with environment variable usage only. Remove hardcoded Windows Administrator path. Pin dependency versions in requirements.txt. Consider documenting the shell:WRITE capability explicitly in SKILL.md.

安全发现 5 项

严重性	安全发现	位置
中危	Hardcoded default credentials in source code 凭证窃取 submit-itsm.py contains hardcoded username ('500525') and password ('Xy@123456') in the CONFIG dictionary. While these serve as defaults and can be overridden via environment variables or command-line arguments, storing plaintext credentials in source code is a significant security risk. If the repo is exposed, these credentials could be reused. `'username': '500525', 'password': 'Xy@123456',` → Remove hardcoded credentials from CONFIG. Use environment variables as the sole source of credentials with no defaults. Example: CONFIG['username'] = os.environ.get('ITSM_USERNAME', '')	`submit-itsm.py:35`
低危	Hardcoded Windows path exposing internal username 敏感访问 The attachmentPath config contains a hardcoded Windows path 'C:\Users\Administrator\Desktop\30d5179fb6468e1643740a153838a9dd (1).jpeg' which reveals the Windows username 'Administrator'. This path may not exist on the user's system and exposes internal user details. `'attachmentPath': r'C:\Users\Administrator\Desktop\30d5179fb6468e1643740a153838a9dd (1).jpeg',` → Remove hardcoded attachmentPath or set it to an empty string/None. Allow users to specify attachment paths via environment variable or command-line argument only.	`submit-itsm.py:40`
中危	Shell execution not declared in SKILL.md 权限提升 start.sh executes shell commands including 'sudo apt-get install chromium-browser', 'pip install', and chromium-browser process management. The SKILL.md declares '零依赖' and describes system dependencies but does not explicitly declare shell:WRITE capability or document the sudo/apt operations. `sudo apt-get update -qq sudo apt-get install -y chromium-browser` → Update SKILL.md to explicitly declare shell:WRITE capability and document all system-level operations (apt-get, sudo, process management).	`start.sh:21`
低危	Unpinned Python dependency versions 供应链 requirements.txt uses >= version specifiers (selenium>=4.0.0, requests>=2.28.0) without upper bounds. This allows pip to install any future version, including potentially compromised ones. While the risk is low for mainstream packages like selenium and requests, version pinning is a security best practice. `selenium>=4.0.0 requests>=2.28.0` → Pin exact versions or use ~> for compatible release pinning: selenium~=4.0.0, requests~=2.28.0	`requirements.txt:1`
低危	Remote get-pip.py download as fallback 供应链 start.sh downloads get-pip.py from bootstrap.pypa.io as a fallback pip installation method. While bootstrap.pypa.io is a legitimate Python infrastructure URL, downloading and executing pip installation scripts from the internet is a risk if the URL is compromised or redirected. `curl -sS "$GET_PIP_URL" -o "$GET_PIP_FILE"` → Remove the remote get-pip.py download fallback. Rely on ensurepip or system package managers instead.	`start.sh:89`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	Screenshots + attachment upload; declared in SKILL.md
网络访问	`READ`	`READ`	✓ 一致	Accesses itsm.westmonth.com; declared in SKILL.md
命令执行	`NONE`	`WRITE`	✗ 越权	start.sh:21-30 apt-get update/install, start.sh:53-89 pip install with fallback …
环境变量	`READ`	`READ`	✓ 一致	Accepts ITSM_USERNAME, ITSM_PASSWORD, etc. from env vars
浏览器	`WRITE`	`WRITE`	✓ 一致	Uses Selenium+CDP to control chromium-browser; declared

2 项发现

🔗

中危外部 URL 外部 URL

https://itsm.westmonth.com/#/create

start.sh:13

🔗

中危外部 URL 外部 URL

https://bootstrap.pypa.io/get-pip.py

start.sh:89

目录结构

6 文件 · 31.3 KB · 865 行

Python 1f · 493L Shell 2f · 209L Markdown 1f · 148L JSON 1f · 13L Text 1f · 2L

├─ 🔧 close.sh Shell 14L · 340 B

├─ 📋 package.json JSON 13L · 381 B

├─ 📄 requirements.txt Text 2L · 35 B

├─ 📝 SKILL.md Markdown 148L · 3.1 KB

├─ 🔧 start.sh Shell 195L · 6.6 KB

└─ 🐍 submit-itsm.py Python 493L · 20.9 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`selenium`	`>=4.0.0`	pip	否	Version not pinned; only lower bound specified
`requests`	`>=2.28.0`	pip	否	Version not pinned; only lower bound specified

安全亮点

✓ No credential exfiltration: hardcoded credentials are only used for ITSM login form submission, not sent to third parties

✓ No obfuscation detected: all code is plain text, no base64/eval/atob patterns

✓ No unauthorized sensitive path access: no access to ~/.ssh, ~/.aws, or .env files

✓ No C2 communication or data theft indicators

✓ Screenshots are saved locally only, not exfiltrated

✓ Uses legitimate, documented ITSM portal (itsm.westmonth.com)

✓ Dependency requests is a standard HTTP library, not a data exfiltration tool

✓ Selenium+CDP is a standard browser automation approach