Journal Matchmaker
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a local journal recommendation tool with no evidence of credential use, network calls, or deceptive behavior, though it asks users to run Python and pip locally.
This skill looks reasonable for local journal matching. Before installing, be comfortable running a local Python script and pip dependency, and remember that manuscript abstracts may be sensitive intellectual property even if the artifacts show no network sharing.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill runs code in the user's local environment.
The skill is designed to be used by running a local Python script. This is disclosed and central to the stated journal-matching purpose, but it still means local code will execute.
python scripts/main.py --abstract "Your paper abstract text here" [--field "field_name"] [--min-if 5.0] [--count 5]
Run it only from a trusted workspace, preferably in a virtual environment, and review the command before invoking it.
A pip install may fetch package code from a package index unless the dependency is already present or managed elsewhere.
The dependency is listed without a version pin, and SKILL.md instructs users to install requirements with pip. This is a common setup pattern, but it gives some dependency provenance/version risk.
dataclasses
Use a virtual environment and consider pinning or auditing the dependency before installation.