ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cross Disciplinary Bridge Finder

v0.1.0

Use when identifying collaboration opportunities across fields, finding experts in complementary disciplines, translating methodologies between scientific do...

0· 95·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description (finding experts, mapping methods) align with the included code (knowledge graph, domain bridging). However the package list (scripts/requirements.txt) includes an OpenAI client while the skill declares no required environment variables or credentials — if the code actually calls OpenAI or other external APIs, that credential requirement is missing from the manifest and is disproportionate to the SKILL.md declarations.
Instruction Scope
SKILL.md instructs command-line and Python usage limited to the included library and CLI. It does not instruct the agent to read arbitrary system files or exfiltrate data. However the SKILL.md does not mention any external API usage, yet the repository includes an OpenAI dependency and sizable Python code that may perform network calls; the runtime instructions therefore omit important operational details (e.g., which APIs are contacted, what keys are used, what data is sent).
Install Mechanism
There is no install spec (instruction-only), so nothing will be auto-downloaded during installation — this lowers installer risk. But the bundle includes requirements.txt and scripts/requirements.txt listing several PyPI packages (including openai). If a user or integrator installs those, standard pip installs from PyPI will occur; no unusual download URLs or archives were present. The absence of an automated install step combined with a non-empty requirements file is an inconsistency worth noting.
!
Credentials
The skill declares no required environment variables or primary credential, yet the codebase lists the openai package among its dependencies. OpenAI usage typically requires an API key (e.g., OPENAI_API_KEY). The manifest's lack of declared credentials is a mismatch that could lead the code to read environment variables unexpectedly at runtime or fail silently. The code also creates and uses a local data directory (data/) which grants write access to the agent's workspace.
Persistence & Privilege
The skill is not forced-always (always:false) and does not request elevated platform privileges. It creates a local data directory but does not (from the provided materials) modify other skills or system-wide configuration. The allowed-tools header in SKILL.md includes file and shell operations ('Read Write Bash Edit'), so an agent using this skill could read/write files and run commands when invoked — that is expected behavior for a script-based tool but should be considered when granting run permissions.
What to consider before installing
Before installing or running this skill: (1) Inspect the full scripts/main.py to confirm whether it makes network calls (OpenAI or other APIs), and if so, which environment variables it expects and what data is transmitted. (2) If the code uses OpenAI or other APIs, require the author to declare the needed credentials in the manifest (e.g., OPENAI_API_KEY) and explain the external endpoints and purpose. (3) Because the package will write to a local data/ directory, run it in a sandbox or isolated environment until you audit it. (4) If you don't want the agent to execute arbitrary shell/file operations, avoid enabling the skill's 'Read/Write/Bash/Edit' capabilities or only run the code manually after inspection. (5) Prefer skills with a verifiable source/homepage and clear credential requirements; ask the publisher for source repo or provenance before trusting with sensitive environments.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cs33ywrwdg2sqc7n53a1w0n837zhv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments