Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Data Management Plan Creator
v0.1.1Automatically generate NIH 2023-compliant Data Management and Sharing Plan (DMSP) drafts following FAIR principles
⭐ 0· 120·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (NIH DMSP, FAIR) align with the provided code and docs: the repository contains a DMSP template, README, SKILL.md, and a Python script that generates plan text. Requested capabilities (none: no env vars, no binaries) are appropriate for this task.
Instruction Scope
SKILL.md instructs running scripts/main.py (CLI, interactive, or as module), which is consistent with generating DMSPs. The documentation claims 'No external API calls' and 'uses standard library only', which appears plausible from visible imports; however SKILL.md also includes a pip install -r requirements.txt step (requirements.txt lists 'dataclasses'), an inconsistency worth noting. The script reads/writes workspace files (expected for this tool) but you should confirm there is no unexpected file access or network I/O in the parts of main.py not shown in the truncated excerpt.
Install Mechanism
There is no install specification in the registry (instruction-only), which is low-risk. SKILL.md still instructs 'pip install -r requirements.txt' even though it claims to use only the standard library; requirements.txt contains only 'dataclasses' (a stdlib type in Python 3.8+), so the pip step is unnecessary for the declared Python version — minor inconsistency but not itself malicious.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The code shown imports only standard modules (json, os, re, pathlib, etc.). This is proportionate to the described purpose.
Persistence & Privilege
Flags show always: false and normal model invocation behavior. The skill does not request permanent agent presence or elevated privileges in the registry metadata.
What to consider before installing
This skill appears to do what it says (generate NIH-compliant DMSP drafts) and does not request credentials or network access in the manifest, but a few conservative checks are recommended before installing or using it on sensitive data:
- Inspect the full scripts/main.py file yourself (or ask the author) to confirm there are no hidden network calls, telemetry, or use of exec/subprocess. The provided file is large and was truncated in the review material; fully review it.
- The SKILL.md claims 'standard library only' but also suggests running pip install -r requirements.txt; requirements.txt lists 'dataclasses' which is part of Python 3.8+. If you run pip, do so in a fresh virtualenv to avoid pulling unwanted packages.
- Run the script in a sandbox or isolated environment first and test with dummy inputs to see what files it writes and where. Confirm it enforces safe path handling (no '../' traversal) and that output files are only written to the intended workspace.
- Grep the code for network libraries (requests, urllib, socket) and for subprocess/exec usage. If any network or shell execution appears, require justification before use.
- If you will feed real or sensitive data, ensure outputs do not inadvertently include identifying information; validate sanitization/de-identification steps.
If you are not comfortable reviewing the code, consider asking the skill author for a short security statement or running the tool on synthetic data only.Like a lobster shell, security has layers — review code before you run it.
latestvk9718yq7qgd6g39e333vy6w6bd833wcj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.