Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Academic Paper Fetcher
v1.0.0Fetch academic papers from Sci-Hub given a DOI. Automatically downloads PDFs and saves them to research/papers/ with clean filenames. Use when the user provides a DOI or requests a paper from PubMed.
⭐ 3· 1.7k·6 current·6 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (fetch papers by DOI from Sci‑Hub) matches the included script, which constructs Sci‑Hub URLs and downloads PDFs. However the SKILL metadata claims no required binaries while the script calls curl via subprocess; that binary is effectively required but not declared. SKILL.md also mentions 'use browser' and integrations (Obsidian, research automation) that are not implemented in the script—these are mismatches between description and actual capability.
Instruction Scope
SKILL.md instructs the agent to 'navigate' Sci‑Hub and save files to workspace/research/papers/ and to process multiple DOIs; the script implements that flow using curl and local file writes. The instructions do not ask to read unrelated system files or secrets. Minor scope creep: integration claims (Obsidian sync, automatic discovery from research runs) are described but there is no code to perform those integrations, so the agent would need additional logic to realize them.
Install Mechanism
There is no install spec (instruction-only skill with a bundled script). That keeps disk/write risk low. The included Python script will run as-is; there is no package download or archive extraction. Note: network access and curl must be available at runtime even though they are not declared.
Credentials
The skill declares no required environment variables or credentials, which is appropriate. However it fails to declare a required runtime dependency: the script invokes curl via subprocess.run. The mismatch between declared requirements (none) and actual runtime needs (curl, network access) is a proportionality/information issue that could cause unexpected failures or surprises.
Persistence & Privilege
The skill does not request permanent presence (always: false) and does not modify other skills or system-wide settings. It writes files only into the provided output directory (default current directory); the SKILL.md prescribes workspace/research/papers/ but the script will accept an output_dir parameter, which is reasonable behavior.
What to consider before installing
This skill mostly does what it says (downloads PDFs from a hard-coded Sci‑Hub domain). Before installing, consider: 1) Legal/ethical: Sci‑Hub distributes copyrighted material in many jurisdictions — ensure you are comfortable with that risk. 2) Undeclared runtime dependency: the Python script calls curl via subprocess but the skill metadata does not list curl as required; ensure curl and network access are available and acceptable. 3) Mismatched claims: SKILL.md mentions browser navigation and Obsidian/automation integrations that are not implemented in the script — don’t assume those features exist. 4) Safety: downloaded PDFs can contain exploits (rare) and files are written to your workspace path; run the script in a sandboxed environment if you are unsure. 5) If you want more confidence, ask the author to (a) declare required binaries (curl), (b) remove or implement claimed integrations, and (c) optionally allow selecting an alternative, lawful source (publisher APIs, institutional access) instead of Sci‑Hub.Like a lobster shell, security has layers — review code before you run it.
latestvk97b7zzhx7e1a5212t2jsqtj5n80tf50
License
MIT-0
Free to use, modify, and redistribute. No attribution required.