ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Methodology Extractor

v1.0.0

Batch extraction of experimental methods from multiple papers for protocol.

0· 37·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims 'batch extraction of experimental methods from multiple papers' and documents file input/output and a CONFIG block, but scripts/main.py only contains a tiny demo and does not implement reading a --papers JSON file, writing an output file, or any CONFIG handling. The delivered capability is much smaller than advertised.
!
Instruction Scope
SKILL.md instructs the agent/operator to validate inputs, edit an in-file CONFIG block, run the script with inputs, and produce output artifacts. The script offers only a --demo mode and otherwise prints a usage hint; it does not parse files, perform filesystem I/O, or accept parameters for processing. That mismatch gives the agent vague authority to 'edit' files and run code without a concrete, implemented workflow.
Install Mechanism
There is no install spec (instruction-only with a packaged script). This is low-risk from an install/extraction perspective because nothing is downloaded or installed during pack installation.
Credentials
The skill declares no required environment variables, credentials, or config paths and the script does not access environment secrets. No disproportionate credential access is requested.
Persistence & Privilege
The skill is not always-enabled and uses the normal invocation model. It does not modify other skills or system-wide settings and does not request persistent privileges.
What to consider before installing
This skill is coherent in being a local Python utility but is suspicious because its documentation promises file-based batch processing and a CONFIG block that the shipped script does not implement. Before installing or running: (1) inspect scripts/main.py yourself — it's short and currently only supports a built-in demo; it does not read --papers or write outputs; (2) do not run code from unknown sources on sensitive hosts — test in a sandbox or disposable environment; (3) ask the publisher for a corrected implementation or for explicit instructions on how to provide input files and where outputs are written; (4) if you need the advertised functionality, request that the author add safe input validation, explicit CLI handling for input/output paths, and unit tests demonstrating file I/O; (5) because there are no credentials or network calls in the current code, the immediate risk of exfiltration is low, but the documentation/code mismatch is a red flag — treat the package as incomplete until fixed.

Like a lobster shell, security has layers — review code before you run it.

latestvk971v5d4ckq4n37erqv43x5rmh83pawr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments