技能 semantic-scholar-library-feed 审计历史
📦

审计历史

semantic-scholar-library-feed - 3 审计

审计版本 3

最新 低风险

May 21, 2026, 11:04 AM

The static analyzer flagged 185 potential issues across 6 files (1423 lines), but all findings are false positives upon manual review. The overwhelming majority (141 external_commands flags) originate from shell command examples in documentation files (SKILL.md, reference markdowns in references/) that show users how to run the CLI tool, not from executable code executing arbitrary commands. Network connections target only legitimate Semantic Scholar API endpoints (semanticscholar.org), and base64 decode operations are used for parsing server-side rendered data blobs, not for obfuscation. This is a well-documented, transparent skill for Semantic Scholar API interaction with no evidence of malicious intent or data exfiltration.

6
已扫描文件
1,423
分析行数
10
发现项
claude
审计者
低风险问题 (6)
SKILL.md:10-114references/auth-and-cookies.md:7-79references/library.md:11-90references/research-feed.md:5-94
External Commands in Documentation Files
The static analyzer found 141 instances of external command patterns, but these are false positives. All instances in reference markdown files (references/auth-and-cookies.md, references/library.md, references/research-feed.md) and SKILL.md are shell command examples in code blocks showing CLI usage, not executable code executing user-controlled input. Instances in scripts/semantic_scholar_cli.py are SystemExit() calls with string messages and shlex.split() for legitimate curl parsing. Instances in ss_store.py:320 are base64.b64decode for SSR data parsing. No command injection risk exists.
scripts/ss_store.py:13-23scripts/ss_store.py:236-302
Network Connections to Semantic Scholar API
The static analyzer flagged 10 network-related patterns (hardcoded URLs, HTTP client usage, Chrome version string). All network destinations are legitimate Semantic Scholar domains (semanticscholar.org, api.semanticscholar.org). The Chrome version string '133.0.0.0' at ss_store.py:22 is part of a User-Agent header, not an IP address. HTTP requests use standard Python urllib for API interaction. No data exfiltration to third-party hosts detected.
scripts/ss_store.py:17-19SKILL.md:41-42
Filesystem Access for Cookie Storage
The static analyzer flagged 16 filesystem access patterns. These are false positives - they refer to legitimate cookie storage paths (~/.auth/semantic-scholar.cookies.json) and temporary output directories (/tmp/). The skill requires filesystem access to store and retrieve authentication cookies and output files, which is documented and expected behavior. No unauthorized file access or exfiltration patterns detected.
scripts/ss_store.py:324-327
Base64 Decode for SSR Data Parsing
The static analyzer flagged base64.b64decode at ss_store.py:326 as potential obfuscation. This is a false positive - the decode operation is used to parse Semantic Scholar's server-side rendered 'var DATA' JSON blob that is base64-encoded by the website. This is a standard web-scraping technique for extracting SSR data, not code obfuscation or data exfiltration.
scripts/semantic_scholar_cli.py:11-30
Standard Python Import Statement Misidentified
The static analyzer flagged 'from ss_store import (...)' at semantic_scholar_cli.py:11 as a dynamic import() expression. This is a false positive - it is a standard Python module import statement, not a dynamic import call. The syntax is 'from module import name', not 'import()'.
SKILL.md:3scripts/semantic_scholar_cli.py:541-543
Weak Cryptographic Algorithm Misdetection
The static analyzer flagged several lines for 'Weak cryptographic algorithm' based on string matching. References to algorithm-like words appear in argparse description strings (semantic_scholar_cli.py:541,543), YAML front matter (SKILL.md:3), and markdown documentation. None of these represent actual cryptographic operations. No encryption or hashing functions are called in the codebase.

风险因素

⚙️ 外部命令 (141)
references/auth-and-cookies.md:7 references/auth-and-cookies.md:8 references/auth-and-cookies.md:10 references/auth-and-cookies.md:12 references/auth-and-cookies.md:14 references/auth-and-cookies.md:15 references/auth-and-cookies.md:21-23 references/auth-and-cookies.md:23-25 references/auth-and-cookies.md:25 references/auth-and-cookies.md:25-29 references/auth-and-cookies.md:29-32 references/auth-and-cookies.md:32-36 references/auth-and-cookies.md:36-39 references/auth-and-cookies.md:39-41 references/auth-and-cookies.md:41 references/auth-and-cookies.md:41-45 references/auth-and-cookies.md:45-51 references/auth-and-cookies.md:51-52 references/auth-and-cookies.md:52-54 references/auth-and-cookies.md:54 references/auth-and-cookies.md:54-64 references/auth-and-cookies.md:64 references/auth-and-cookies.md:64 references/auth-and-cookies.md:64 references/auth-and-cookies.md:64 references/auth-and-cookies.md:64-76 references/auth-and-cookies.md:76-77 references/auth-and-cookies.md:77-79 references/auth-and-cookies.md:38 references/auth-and-cookies.md:36-39 references/library.md:11 references/library.md:15 references/library.md:16 references/library.md:17 references/library.md:18 references/library.md:19 references/library.md:23 references/library.md:23 references/library.md:24 references/library.md:26 references/library.md:32 references/library.md:36-44 references/library.md:44-46 references/library.md:46-48 references/library.md:48-52 references/library.md:52-56 references/library.md:56-62 references/library.md:62-63 references/library.md:63 references/library.md:63-64 references/library.md:64 references/library.md:64-66 references/library.md:66-70 references/library.md:70 references/library.md:70-71 references/library.md:71 references/library.md:71-72 references/library.md:72-73 references/library.md:73-74 references/library.md:74-79 references/library.md:79-80 references/library.md:80-81 references/library.md:81-85 references/library.md:85-90 references/research-feed.md:5 references/research-feed.md:11 references/research-feed.md:17 references/research-feed.md:19 references/research-feed.md:27 references/research-feed.md:31 references/research-feed.md:32 references/research-feed.md:33 references/research-feed.md:35 references/research-feed.md:35 references/research-feed.md:35 references/research-feed.md:39 references/research-feed.md:41 references/research-feed.md:43 references/research-feed.md:45 references/research-feed.md:47 references/research-feed.md:47 references/research-feed.md:51 references/research-feed.md:51 references/research-feed.md:51 references/research-feed.md:53 references/research-feed.md:53 references/research-feed.md:59 references/research-feed.md:60 references/research-feed.md:60 references/research-feed.md:61 references/research-feed.md:63 references/research-feed.md:73 references/research-feed.md:74 references/research-feed.md:75 references/research-feed.md:76 references/research-feed.md:77 references/research-feed.md:78 references/research-feed.md:79 references/research-feed.md:80 references/research-feed.md:82 references/research-feed.md:82 references/research-feed.md:86 references/research-feed.md:87 references/research-feed.md:91-94 scripts/semantic_scholar_cli.py:45 scripts/semantic_scholar_cli.py:45 scripts/semantic_scholar_cli.py:258 scripts/semantic_scholar_cli.py:258 scripts/semantic_scholar_cli.py:573 scripts/ss_store.py:320 SKILL.md:10 SKILL.md:16-18 SKILL.md:18-22 SKILL.md:22-25 SKILL.md:25-27 SKILL.md:27-31 SKILL.md:31-33 SKILL.md:33-41 SKILL.md:41-42 SKILL.md:42-44 SKILL.md:44 SKILL.md:44-54 SKILL.md:54-56 SKILL.md:56-58 SKILL.md:58-60 SKILL.md:60-62 SKILL.md:62-65 SKILL.md:65-77 SKILL.md:77-82 SKILL.md:82-86 SKILL.md:86-91 SKILL.md:91-93 SKILL.md:93 SKILL.md:93-97 SKILL.md:97-99 SKILL.md:99-102 SKILL.md:102-112 SKILL.md:112 SKILL.md:112-113 SKILL.md:113 SKILL.md:113-114
🌐 网络访问 (10)
references/auth-and-cookies.md:77 references/library.md:52 references/research-feed.md:11 scripts/ss_store.py:236 scripts/ss_store.py:284 scripts/ss_store.py:302 scripts/ss_store.py:13 scripts/ss_store.py:15 scripts/ss_store.py:16 scripts/ss_store.py:22
📁 文件系统访问 (16)
references/auth-and-cookies.md:7 references/auth-and-cookies.md:8 references/auth-and-cookies.md:7 references/auth-and-cookies.md:8 references/auth-and-cookies.md:14 references/auth-and-cookies.md:15 references/auth-and-cookies.md:31 references/library.md:89 references/research-feed.md:93 SKILL.md:41 SKILL.md:42 SKILL.md:41 SKILL.md:42 SKILL.md:24 SKILL.md:64 SKILL.md:81
⚡ 包含脚本 (1)
scripts/semantic_scholar_cli.py:11-30

审计版本 2

低风险

Apr 21, 2026, 11:02 AM

This is a legitimate research management tool for Semantic Scholar. Static findings flagged 185 potential issues, but manual evaluation confirms all are false positives. The skill uses Python CLI scripts for cookie-based API access, standard file paths (~/.auth/), and base64 encoding for decoding server-side rendered data. No malicious patterns, data exfiltration, or unauthorized credential usage detected.

6
已扫描文件
1,423
分析行数
9
发现项
claude
审计者

高风险问题 (1)

scripts/ss_store.py:326-327
False Positive: Weak Cryptographic Algorithm
Static analyzer flagged base64.b64decode as 'weak cryptographic algorithm'. Base64 is encoding, not encryption, and is used legitimately to decode SSR data from Semantic Scholar's HTML pages. This is standard API behavior.
中风险问题 (2)
SKILL.md:10-113references/auth-and-cookies.md:7-77references/library.md:11-90references/research-feed.md:5-94
False Positive: Ruby/Shell Backtick Execution
Static analyzer detected 'backtick execution' in markdown documentation files (SKILL.md, references/*.md). Backticks in markdown are code fences, not shell commands. The actual Python scripts (semantic_scholar_cli.py, ss_store.py) use proper subprocess calls, not shell backticks.
scripts/semantic_scholar_cli.py:117scripts/semantic_scholar_cli.py:131scripts/semantic_scholar_cli.py:349-351references/library.md:46references/library.md:62references/library.md:87references/research-feed.md:13references/research-feed.md:53SKILL.md:79SKILL.md:88
False Positive: System Reconnaissance
Static analyzer flagged file existence checks and URL parsing as 'system reconnaissance'. These are standard CLI operations: checking if cookie store exists, parsing folder IDs from URLs, validating API responses. Legitimate tool behavior.
低风险问题 (2)
references/auth-and-cookies.md:7references/auth-and-cookies.md:8SKILL.md:41SKILL.md:42
False Positive: Hidden File Access
Static analyzer flagged ~/.auth/ directory access as 'hidden file in home directory'. This is standard configuration directory for storing authentication tokens. No malicious intent detected.
references/auth-and-cookies.md:14-15references/auth-and-cookies.md:31references/library.md:89references/research-feed.md:93SKILL.md:24SKILL.md:64SKILL.md:81
Intentional: Temp Directory Access
Skill writes to /tmp/ for intermediate data (research feed exports, folder exports). This is intentional for data processing workflows and standard practice for CLI tools.

风险因素

⚙️ 外部命令 (12)
SKILL.md:17-18 SKILL.md:23-25 SKILL.md:57-58 SKILL.md:63-65 SKILL.md:78-82 SKILL.md:87-91 SKILL.md:100-103 references/auth-and-cookies.md:21-23 references/auth-and-cookies.md:29-32 references/auth-and-cookies.md:38-39 references/library.md:85-90 references/research-feed.md:91-94
🌐 网络访问 (3)
scripts/ss_store.py:15-16 scripts/ss_store.py:22 scripts/ss_store.py:236-302
📁 文件系统访问 (3)
scripts/ss_store.py:17-19 SKILL.md:41-42 references/auth-and-cookies.md:7-8
⚡ 包含脚本 (2)
scripts/semantic_scholar_cli.py:1-646 scripts/ss_store.py:1-396

审计版本 1

中风险

Apr 21, 2026, 09:45 AM

This is a legitimate academic research tool for interacting with Semantic Scholar APIs. All static findings are false positives: Python subprocess calls use hardcoded command strings with no user injection, hardcoded URLs are all legitimate Semantic Scholar endpoints, filesystem access is to user-specific config directories, and base64 decoding is for legitimate SSR data extraction. The skill uses cookie-based authentication which is a standard pattern for accessing authenticated web APIs.

6
已扫描文件
1,423
分析行数
4
发现项
claude
审计者
未发现安全问题

风险因素

⚙️ 外部命令 (141)
references/auth-and-cookies.md:7 references/auth-and-cookies.md:8 references/auth-and-cookies.md:10 references/auth-and-cookies.md:12 references/auth-and-cookies.md:14 references/auth-and-cookies.md:15 references/auth-and-cookies.md:21-23 references/auth-and-cookies.md:23-25 references/auth-and-cookies.md:25 references/auth-and-cookies.md:25-29 references/auth-and-cookies.md:29-32 references/auth-and-cookies.md:32-36 references/auth-and-cookies.md:36-39 references/auth-and-cookies.md:39-41 references/auth-and-cookies.md:41 references/auth-and-cookies.md:41-45 references/auth-and-cookies.md:45-51 references/auth-and-cookies.md:51-52 references/auth-and-cookies.md:52-54 references/auth-and-cookies.md:54 references/auth-and-cookies.md:54-64 references/auth-and-cookies.md:64 references/auth-and-cookies.md:64 references/auth-and-cookies.md:64 references/auth-and-cookies.md:64 references/auth-and-cookies.md:64-76 references/auth-and-cookies.md:76-77 references/auth-and-cookies.md:77-79 references/auth-and-cookies.md:38 references/auth-and-cookies.md:36-39 references/library.md:11 references/library.md:15 references/library.md:16 references/library.md:17 references/library.md:18 references/library.md:19 references/library.md:23 references/library.md:23 references/library.md:24 references/library.md:26 references/library.md:32 references/library.md:36-44 references/library.md:44-46 references/library.md:46-48 references/library.md:48-52 references/library.md:52-56 references/library.md:56-62 references/library.md:62-63 references/library.md:63 references/library.md:63-64 references/library.md:64 references/library.md:64-66 references/library.md:66-70 references/library.md:70 references/library.md:70-71 references/library.md:71 references/library.md:71-72 references/library.md:72-73 references/library.md:73-74 references/library.md:74-79 references/library.md:79-80 references/library.md:80-81 references/library.md:81-85 references/library.md:85-90 references/research-feed.md:5 references/research-feed.md:11 references/research-feed.md:17 references/research-feed.md:19 references/research-feed.md:27 references/research-feed.md:31 references/research-feed.md:32 references/research-feed.md:33 references/research-feed.md:35 references/research-feed.md:35 references/research-feed.md:35 references/research-feed.md:39 references/research-feed.md:41 references/research-feed.md:43 references/research-feed.md:45 references/research-feed.md:47 references/research-feed.md:47 references/research-feed.md:51 references/research-feed.md:51 references/research-feed.md:51 references/research-feed.md:53 references/research-feed.md:53 references/research-feed.md:59 references/research-feed.md:60 references/research-feed.md:60 references/research-feed.md:61 references/research-feed.md:63 references/research-feed.md:73 references/research-feed.md:74 references/research-feed.md:75 references/research-feed.md:76 references/research-feed.md:77 references/research-feed.md:78 references/research-feed.md:79 references/research-feed.md:80 references/research-feed.md:82 references/research-feed.md:82 references/research-feed.md:86 references/research-feed.md:87 references/research-feed.md:91-94 scripts/semantic_scholar_cli.py:45 scripts/semantic_scholar_cli.py:45 scripts/semantic_scholar_cli.py:258 scripts/semantic_scholar_cli.py:258 scripts/semantic_scholar_cli.py:573 scripts/ss_store.py:320 SKILL.md:10 SKILL.md:16-18 SKILL.md:18-22 SKILL.md:22-25 SKILL.md:25-27 SKILL.md:27-31 SKILL.md:31-33 SKILL.md:33-41 SKILL.md:41-42 SKILL.md:42-44 SKILL.md:44 SKILL.md:44-54 SKILL.md:54-56 SKILL.md:56-58 SKILL.md:58-60 SKILL.md:60-62 SKILL.md:62-65 SKILL.md:65-77 SKILL.md:77-82 SKILL.md:82-86 SKILL.md:86-91 SKILL.md:91-93 SKILL.md:93 SKILL.md:93-97 SKILL.md:97-99 SKILL.md:99-102 SKILL.md:102-112 SKILL.md:112 SKILL.md:112-113 SKILL.md:113 SKILL.md:113-114
🌐 网络访问 (10)
references/auth-and-cookies.md:77 references/library.md:52 references/research-feed.md:11 scripts/ss_store.py:236 scripts/ss_store.py:284 scripts/ss_store.py:302 scripts/ss_store.py:13 scripts/ss_store.py:15 scripts/ss_store.py:16 scripts/ss_store.py:22
📁 文件系统访问 (16)
references/auth-and-cookies.md:7 references/auth-and-cookies.md:8 references/auth-and-cookies.md:7 references/auth-and-cookies.md:8 references/auth-and-cookies.md:14 references/auth-and-cookies.md:15 references/auth-and-cookies.md:31 references/library.md:89 references/research-feed.md:93 SKILL.md:41 SKILL.md:42 SKILL.md:41 SKILL.md:42 SKILL.md:24 SKILL.md:64 SKILL.md:81
⚡ 包含脚本 (1)
scripts/semantic_scholar_cli.py:11-30
← 返回技能