安全决策报告

doctor-check

Name: doctor-check 可信度判断报告
Item: doctor-check
Rating: 55
Author: ClawSafe

SKILL.md declares API key validation and permission checks without specifying implementation details or access levels, creating a doc-to-code mismatch risk.

安装决策优先来源: 手动上传扫描时间: 2026/4/3

文件 1

IOC 0

越权项 0

发现 3

为什么得出这个结论

0/4 个维度触发

通过

声明与实际能力

声明资源与推断能力基本一致。

通过

隐藏执行与外联

当前没有明显的高危外联或执行信号。

通过

攻击链与高危发现

没有形成明确的恶意路径。

复核

依赖与供应链卫生

没有完整依赖信息，供应链判断需要保留弹性。

风险分是怎么被拉高的

Undeclared implementation +20

Skill declares 'API密钥有效性检查' without specifying how validation is performed

Ambiguous permission checks +15

'权限设置' declared but scope of permission access not specified

Implicit filesystem write +10

'锁文件清理' implies file deletion but not explicitly declared as WRITE access

最关键的证据

中危文档欺骗

API key validation method unspecified

SKILL.md declares 'API密钥有效性检查' but does not specify whether keys are validated locally or by calling external services. This creates ambiguity about network access and data handling.

SKILL.md:15

Clarify whether API keys are validated locally (structure check) or externally (network request to validation endpoint)

低危文档欺骗

Permission check scope not declared

'权限设置' (permission settings) is declared as a check item but the scope of what permissions are checked and how is not specified.

SKILL.md:16

Specify which permission categories are checked and what constitutes a permission issue

低危文档欺骗

Implicit filesystem WRITE not declared

'锁文件清理' (lock file cleanup) implies the ability to delete files, constituting filesystem WRITE access, but this is not explicitly declared in the capability model.

SKILL.md:12

Explicitly declare filesystem WRITE permission if lock file cleanup involves deletion

声明能力 vs 实际能力

文件系统 通过

声明 NONE

→

推断 UNKNOWN

SKILL.md: '锁文件清理' implies deletion capability

环境变量 通过

声明 READ

→

推断 UNKNOWN

SKILL.md: '环境检查' declared but no detail on scope

网络访问 通过

声明 NONE

→

推断 UNKNOWN

SKILL.md: 'API密钥有效性' may require network access for validation

可疑产物与外联

没有提取到明显 IOC。

依赖与供应链

没有结构化依赖告警。

文件构成

1 个文件 · 53 行

Markdown 1 个文件 · 53 行

需关注文件 · 1

SKILL.md Markdown · 53 行

API key validation method unspecified · Permission check scope not declared · Implicit filesystem WRITE not declared

安全亮点

No actual code files present - cannot execute malicious behavior without implementation

No network requests declared (only implied via API key check)

No credential harvesting explicitly declared

No base64, obfuscation, or suspicious patterns in documentation