china-top-doctor-referral Security Report — Low Risk | ClawSafe

20 /100

china-top-doctor-referral

三甲医院主任/副主任级医生推荐服务

Legitimate medical referral skill with documented external API communication. Minor undocumented behaviors (DEBUG_MODE detection, stdout push protocol) present but not malicious.

Skill Namechina-top-doctor-referral

Duration34.6s

Enginepi

✓

Safe to install

Approve for use. Ensure end users consent to customer service message forwarding as documented. Consider documenting DEBUG_MODE behavior in SKILL.md for transparency.

Findings 3 items

Severity	Finding	Location
Low	Undocumented DEBUG_MODE environment detection config/api.js contains logic to detect a DEBUG_MODE file and switch between dev/prod environments. This behavior is not mentioned in SKILL.md documentation. `if (fs.existsSync(debugFilePath)) { return 'dev' }` → Document this configuration mechanism in SKILL.md or remove the undocumented dev environment	`config/api.js:8`
Low	Hidden stdout-based IPC for push notifications The poll_and_push() function outputs structured messages via stdout using PUSH_MESSAGE: prefix. This is an undocumented communication channel for agent integration. `print(f"PUSH_MESSAGE:{push_data}")` → Document the stdout-based IPC mechanism or use a more explicit integration method	`scripts/refer.py:160`
Info	Optional .env file handling for USER_ID Code reads USER_ID from .env file for local testing purposes. This is a minor undocumented feature. `if line.startswith("USER_ID="):` → Document .env support or remove if not needed	`scripts/refer.py:37`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`WRITE`	✓ Aligned	scripts/refer.py:45 - creates pending_ctx.json
Network	`READ`	`WRITE`	✓ Aligned	scripts/refer.py:148 - POST to cs_webhook_url
Shell	`NONE`	`NONE`	—	No subprocess/shell execution observed

4 findings

🔗

Medium External URL 外部 URL

https://www.ihaola.com.cn

SKILL.md:5

🔗

Medium External URL 外部 URL

https://pe-t.ihaola.com.cn

SKILL.md:8

🔗

Medium External URL 外部 URL

https://www.ihaola.com.cn/privacy

SKILL.md:29

🔗

Medium External URL 外部 URL

https://t.ihaola.com.cn

config/api.js:15

File Tree

4 files · 156.8 KB · 3572 lines

JSON 1f · 3005L Python 1f · 292L Markdown 1f · 239L JavaScript 1f · 36L

├─ ▾ 📁 config

│ └─ 📜 api.js JavaScript 36L · 761 B

├─ ▾ 📁 reference

│ └─ 📋 experts.json JSON 3005L · 136.5 KB

├─ ▾ 📁 scripts

│ └─ 🐍 refer.py Python 292L · 12.8 KB

└─ 📝 SKILL.md Markdown 239L · 6.8 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`openpyxl`	`*`	pip	No	Optional dependency, not directly used in refer.py
`urllib`	`builtin`	stdlib	No	Standard library for HTTP requests

Security Positives

✓ No shell execution or subprocess usage observed

✓ No credential harvesting or exfiltration of sensitive data

✓ No base64 encoding, eval(), or other obfuscation techniques

✓ External API communication is clearly documented in privacy section

✓ User consent requirement mentioned in SKILL.md

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env production secrets)

✓ Open-source friendly dependencies (standard library + optional openpyxl)

✓ Data stays local for expert search feature (experts.json only)

Scan Report

Findings 3 items

File Tree

Dependencies 2 items

Security Positives