ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

IRB Application Assistant

v1.0.0

Assists researchers with Institutional Review Board (IRB) application tasks, including drafting informed consent documents, reviewing research protocols for...

0· 68·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md describes multiple capabilities (compliance-check, generate-application, validate-submission, producing .docx packages, rulesets, references/) that would reasonably require significant code and data files. The included scripts/main.py only generates simple plain-text application and consent templates and exposes a --template flag; it does not implement --task options or compliance logic. Several referenced artifacts (protocol.json examples, study_config.json, references/ directory) are missing. This mismatch means the requested functionality is not actually provided.
!
Instruction Scope
The instructions tell users to run tasks that imply reading protocol/config files and producing validated packages, and they instruct workflows with mandatory compliance checkpoints. The actual runtime artifact (scripts/main.py) only composes and writes basic text templates and does not perform compliance checks, validation, or .docx generation. The SKILL.md therefore directs the agent and user to expect behaviors that are not implemented, which is misleading and could cause users to proceed under false assumptions. The SKILL.md also references files/paths that don't exist in the bundle.
Install Mechanism
No install spec or external downloads; this is an instruction-only skill with a small included Python script. Nothing is fetched from remote URLs and no archives are extracted, so install risk is low.
Credentials
The skill declares no required environment variables, credentials, or config paths and the script does not access network, environment variables, or external secrets. The requested privileges are proportionate to the code present.
Persistence & Privilege
always is false and the skill does not request persistent presence or modify other skills. It does not try to write to global agent settings; persistence/privilege level is appropriate.
What to consider before installing
This package is incomplete and therefore suspicious rather than outright malicious: SKILL.md promises compliance checks, full application generation, .docx output, and references that aren't present, while the included script only writes simple plain-text templates. Before installing or relying on it, do not use it for any real IRB submission or PHI-containing data. If you consider using it: (1) inspect/run the Python script in a sandbox to confirm behavior, (2) ask the publisher for the missing files and an authoritative source or homepage, (3) verify there is no network I/O or logging of sensitive data, and (4) prefer established tools or institutional templates for regulatory work. If the author provides the missing implementation and documentation, reassess; currently treat this as incomplete and do not rely on it for compliance-critical tasks.

Like a lobster shell, security has layers — review code before you run it.

latestvk9754t14m22w50vve0z3afpa1x83jbh9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments