ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

KOL Profiler

v1.0.0

Analyze physician academic influence and collaboration networks

0· 48·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (analyze physician influence and collaboration networks) matches the included Python script: main.py computes simple publication metrics and collaborators from a provided JSON or demo data. No network calls or external services are present and no extra binaries or credentials are requested.
!
Instruction Scope
SKILL.md documents many parameters (--therapeutic-area, --metrics, --output, --format) and security checks (input validation, preventing ../ traversal) that are not implemented in scripts/main.py. The script only accepts --author, --data, and --demo. The SKILL.md promises output-file and format options that the code does not support, creating a clear mismatch. The script reads an arbitrary JSON file path supplied by the user with no validation beyond json.load, so malicious or accidental input could expose sensitive local data if the user supplies an unexpected path.
Install Mechanism
No install spec (instruction-only style plus a single small script). Nothing is downloaded or written to disk by an installer; only the included script would run. This is the lowest install risk.
Credentials
The skill declares no required environment variables or credentials and the code contains none. That is proportional to the stated purpose.
Persistence & Privilege
The skill does not request persistent presence, does not modify other skills or system-wide settings, and does not require elevated privileges. It runs locally and only performs file reads/writes triggered by user invocation.
What to consider before installing
This skill appears to be a small local profiler script, but SKILL.md and the code disagree: the documentation lists many parameters and safety checks that the script does not implement. Before installing or running: (1) review or run the included scripts/main.py directly in a safe environment; (2) do not pass paths to sensitive files — the script will open any JSON path you give it without validation; (3) if you expect --output/--format/other features, request an updated SKILL.md or updated code; (4) run the script on non-sensitive demo data first; (5) if you will integrate into workflows, add input-path validation and explicit output-path handling or sandbox execution. The mismatch between documentation and code is the primary reason for a cautious (suspicious) classification.

Like a lobster shell, security has layers — review code before you run it.

latestvk972mvq1hf8pw3qn98de4mvf8583j039

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments