Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Research
v1.1.0Conduct open-ended research on a topic, building a living markdown document. Supports interactive and deep research modes.
⭐ 0· 3.6k·19 current·19 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to run deep async research via a 'parallel-research' CLI and the Parallel AI API — that is coherent with a 'research' purpose. However the package metadata declares no required credentials or binaries, while the docs repeatedly reference a PARALLEL_API_KEY and a bundled CLI in scripts/ (to be symlinked). The repo does not include those scripts, so the claimed capabilities depend on external artifacts not provided or declared.
Instruction Scope
SKILL.md/SETUP.md instructs creating files under ~/.openclaw/workspace/research and scheduling cron jobs to poll results and deliver them back to channels (e.g., Discord). That behavior is within a research tool's scope, but the instructions also tell the user to run external installers and to expose an API key via exported env vars in ~/.bashrc. The cron payload includes a 'channel' and 'to' field used to post results externally — make sure you understand where outputs will be sent.
Install Mechanism
Although the registry lists no automated install, SETUP.md instructs the user to symlink scripts from ~/.openclaw/skills/research/scripts/ and to run a remote installer: 'curl -LsSf https://astral.sh/uv/install.sh | sh'. Download-and-execute from an external script is high-risk. Additionally, the instructions reference CLI scripts that are not included in the skill bundle, creating ambiguity about the source and integrity of those binaries.
Credentials
Registry metadata claims no required environment variables, but OPENCLAW.md and SETUP.md both reference PARALLEL_API_KEY (and recommend storing it in ~/.secrets and exporting it via ~/.bashrc). Requesting and loading an API key is reasonable for calling a third-party research API, but it should be declared in metadata and the install guidance should avoid insecure patterns (e.g., writing secrets into shell RC files or unclear script locations).
Persistence & Privilege
always:false (normal). The skill suggests setting up scheduled checks (cron jobs) that will run later and deliver results back to a channel. That creates background activity and outbound posting of research results; it's expected for async research but the user should confirm where results will be delivered and that the scheduled jobs won't leak sensitive content.
Scan Findings in Context
[NO_CODE_FILES] expected: The scanner found no code to analyze because this is an instruction-only skill (only SKILL.md, SETUP.md, OPENCLAW.md are present). Absence of code does not imply safety; the runtime instructions themselves include external installers and secret handling that must be reviewed.
What to consider before installing
This skill looks like a reasonable research assistant, but there are things that don't add up and some risky install steps. Before installing: 1) Ask the author for the missing 'parallel-research' and 'export-pdf' scripts (they are referenced but not included). Verify their source and checksum; do NOT symlink or run binaries from an untrusted location. 2) Don't run remote curl | sh installers (e.g., astral.sh) without reviewing the script. Prefer installing uv/pandoc from trusted package managers or official release pages. 3) Be careful how you store PARALLEL_API_KEY — avoid appending export commands into ~/.bashrc if you can use a safer secret store; if you must, restrict file permissions and understand who can read your shell config. 4) Review the cron payload: confirm the 'channel' and 'to' destinations where results will be posted so you don't inadvertently share sensitive results externally. 5) If you plan to use deep research, confirm what data (full scraped outputs, attachments) will be sent to Parallel AI and whether that's acceptable for your use case. If the author cannot provide the missing CLI scripts or a trustworthy installation source, treat the skill as incomplete and avoid installing the recommended binaries.Like a lobster shell, security has layers — review code before you run it.
latestvk975b7xepj02wa6gn7fa7xmkj981v5py
License
MIT-0
Free to use, modify, and redistribute. No attribution required.