warn
suspicious.insecure_tls_verification
- Location
- scripts/extract_text.py:50
- Finding
- HTTPS certificate verification is disabled.
prohibited-word-query(多平台违禁词查询)
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
Detected: suspicious.insecure_tls_verification
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernMedium Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If a user asks the skill to check a webpage, a network attacker or misconfigured endpoint could alter the fetched page text that the agent analyzes and may later send to the detection API.
Why it was flagged
The webpage extraction helper explicitly disables hostname and certificate verification for HTTPS connections, so HTTPS URL fetching can accept spoofed or tampered responses.
Skill content
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
ssl_sock = context.wrap_socket(sock) # 不传 server_hostname,不发送SNIRecommendation
Keep TLS verification enabled for webpage fetching, pass server_hostname for SNI, and only use a clearly labeled manual fallback for exceptional sites after user confirmation.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Text, file-extracted text, image OCR text, or webpage text submitted for checking may leave the local environment and be processed by the stated third-party service.
Why it was flagged
The skill discloses that user text is sent to a third-party, non-official detection API for matching; this is purpose-aligned but important for privacy expectations.
Skill content
会将待检测内容通过 HTTPS POST 发往下列接口... `https://onetotenvip.com/story/cozeSkill/sensitiveWordSearch`... 请求体字段:`content`(待检测文案)、`platform`、`source`
Recommendation
Do not submit confidential material unless you are comfortable with that service processing it; use the documented PROHIBITED_WORD_API_URL override for an approved internal HTTPS endpoint if needed.