PMC Harvest
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: pmc-harvest Version: 1.0.0 The OpenClaw skill 'pmc-harvest' is designed to fetch articles from PubMed Central using official NCBI APIs. All network requests are directed to `eutils.ncbi.nlm.nih.gov` and `pmc.ncbi.nlm.nih.gov`, as documented in `SKILL.md` and implemented in `lib/api.js`. User inputs are handled as query parameters or IDs, which are properly URL-encoded or parsed, preventing arbitrary command or URL injection. The `SKILL.md` file contains no prompt injection attempts against the agent. The code demonstrates responsible API usage, including rate limiting, and lacks any indicators of malicious intent such as data exfiltration, unauthorized execution, or persistence mechanisms.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your literature search terms and requested PMC IDs are sent to NCBI/PMC, and returned article data may be printed or used by the agent.
The code sends user search terms and PMCID requests to external NCBI/PMC APIs. This is expected for the stated purpose and is clearly disclosed.
const EUTILS_BASE = 'https://eutils.ncbi.nlm.nih.gov/entrez/eutils'; const OAI_BASE = 'https://pmc.ncbi.nlm.nih.gov/api/oai/v1/mh/';
Use it for public literature retrieval, avoid sensitive unpublished query terms if that matters to you, and follow NCBI rate-limit guidance.
It is harder to independently verify the maintainer, update history, or upstream repository for this skill.
The registry metadata does not provide an upstream source or homepage, so provenance is limited even though the full code is included and no external install step is shown.
Source: unknown Homepage: none
Review the included code before installing and pin or re-review the exact version before using it in automated pipelines.