warn
suspicious.insecure_tls_verification
- Location
- scripts/check_sensitive_words.py:172
- Finding
- HTTPS certificate verification is disabled.
gzh-prohibited-word(公众号违禁词检测)
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.insecure_tls_verification
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Drafts, uploaded-file text, or webpage text submitted for checking could be exposed to or modified by an active network attacker or a misconfigured endpoint.
Why it was flagged
The script intentionally disables normal HTTPS endpoint verification and SNI while the skill sends user content to a configured detection API. That makes the API identity unverifiable and increases interception or tampering risk.
Skill content
通过 Host 头指定目标站点,绕过 CDN/ICP 基于 SNI 的拦截。 ... context.check_hostname = False ... context.verify_mode = ssl.CERT_NONE ... ssl_sock = context.wrap_socket(sock)
Recommendation
Re-enable standard TLS verification with server_hostname/SNI, ensure the configured host matches a valid certificate, and clearly disclose the trusted API provider and data handling.
What this means
Using the skill may install and run third-party packages and a browser component in the local environment.
Why it was flagged
The skill requires third-party Python packages and a Playwright browser install. This is aligned with file and webpage extraction, but it expands the local supply-chain surface.
Skill content
dependency:\n python:\n - python-docx==1.1.0\n - beautifulsoup4==4.12.3\n - playwright==1.58.0\n system:\n - playwright install chromium
Recommendation
Install dependencies from trusted package indexes, keep versions pinned, and prefer a registry install spec that makes these setup requirements explicit.