Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Research
v1.0.0Conduct open-ended research on a topic, building a living markdown document. Supports interactive and deep research modes.
⭐ 0· 646·8 current·8 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to run deep async research via a 'parallel-research' CLI and to export PDFs via an 'export-pdf' script. However, the package contains only docs (OPENCLAW.md, SETUP.md, SKILL.md) and no scripts or binaries. The instructions expect files under ~/.openclaw/skills/research/scripts/, but those scripts are not present—this mismatch suggests either missing artifacts or sloppy packaging.
Instruction Scope
Runtime instructions tell the agent to create files under ~/.openclaw/workspace/research and to schedule cron jobs that deliver results back to a source channel. They also instruct how to store and expose PARALLEL_API_KEY via a local .env and by appending an export to shell profile. The doc assumes an env var exists and that cron jobs can deliver messages to external channels—these behaviors are plausible for a research skill but the instructions reference environment/config that were not declared and that enable external delivery of results, which increases the risk surface.
Install Mechanism
There is no formal install spec, but SETUP.md recommends symlinking local scripts (which are absent) and running a remote installer via curl (curl -LsSf https://astral.sh/uv/install.sh | sh). Advising an unattended remote install script is high-risk. Also recommending global symlinks (/usr/local/bin) and modifying ~/.bashrc are persistent, privileged operations. The absence of included scripts plus a remote install command is a problematic combination.
Credentials
The skill metadata declares no required env vars, yet the docs repeatedly rely on PARALLEL_API_KEY being present and instruct creating ~/.secrets/parallel_ai/.env and exporting it into the shell profile. Asking users to store an API key in plain text and append it to shell startup without declaring the key in the skill manifest is disproportionate and inconsistent. The requested secret itself (Parallel AI key) is plausible for the described deep-research capability, but the handling guidance is insecure and undocumented in the manifest.
Persistence & Privilege
The skill does not request always:true and doesn't claim extra platform privileges. However, SETUP.md instructs persistent changes (symlinks into user PATH, appending exports to ~/.bashrc, creating ~/.secrets, and scheduling cron jobs). Those are normal for CLI tooling but are materially persistent and should be performed only after verifying the scripts being linked and installed.
What to consider before installing
This skill's docs expect a 'parallel-research' CLI and 'export-pdf' script plus a PARALLEL_API_KEY, but those scripts and the env var are not declared or bundled. Before installing or following SETUP.md: 1) Ask the author for the missing scripts (or a trusted release URL) and for a homepage/repo so you can review their code. 2) Do not blindly run the curl | sh installer (astral.sh) — audit that script or install uv/pymupdf via your distro/package manager instead. 3) Prefer storing API keys in a secure secret store or OS keyring rather than echoing into a plaintext file and appending 'export' into ~/.bashrc. 4) If you must symlink scripts, inspect them first and avoid system-wide /usr/local installs unless you trust the source. 5) Verify how cron payloads deliver messages and what data they include (cron jobs could leak results or identifiers to external channels). If the author provides the missing artifacts and a trustworthy source for the uv installer, the architecture is reasonable; without that, the package is inconsistent and should be treated with caution.Like a lobster shell, security has layers — review code before you run it.
latestvk97333mzv0ajavtn3n9dr8vs8d81vctv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.