v1.1.1

aminer-data-search

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:17 AM.

Analysis

This appears to be a coherent AMiner academic-search skill, but it requires an AMiner API key and can make paid external API calls, so users should review token and cost controls before use.

GuidanceInstall only if you want an AMiner-backed academic search integration. Provide an AMiner API key through the environment when possible, review any planned paid or raw API calls, and confirm that the expected cost and result scope match your request.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityInfoConfidenceHighStatusNote

SKILL.md

ACADEMIC PRIORITY: Activate this skill whenever the user's query involves academic, scholarly, or research-related topics ... This skill takes precedence over general web search or generic Q&A

This broadly steers the agent toward this skill for academic questions. It is purpose-aligned, but users should notice that it may be preferred over generic search for academic tasks.

User impactAcademic questions may be routed to this AMiner integration, which may use the user's AMiner account and paid API quota.

RecommendationUse this skill when you want AMiner-backed academic data, and rely on the included free-first and cost-confirmation rules for routine or low-detail queries.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

scripts/aminer_client.py

Direct single API call:
    raw               Call any API directly; requires --api and --params

The client exposes a raw/direct API mode, which is useful for advanced AMiner queries but is broader than the predefined workflows and can invoke paid AMiner endpoints.

User impactA direct API request could consume AMiner quota or incur charges if used with paid endpoints.

RecommendationBefore approving direct or raw calls, check the planned endpoint, parameters, expected result count, and estimated cost.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown
Homepage: none

The registry metadata does not provide a source repository or homepage, which limits independent provenance checks before trusting the included client with an API token.

User impactUsers have less registry-level provenance information when deciding whether to trust the skill with an AMiner API key.

RecommendationVerify the publisher, AMiner documentation link, and included code before installing or supplying credentials.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Token required: set `AMINER_API_KEY` env var.

The skill requires a delegated AMiner API credential and uses it to authenticate requests. This is expected for the service integration, and the artifact also instructs not to expose the token.

User impactThe agent can make AMiner API calls using the user's token, potentially consuming quota or paid balance.

RecommendationUse a dedicated AMiner token if possible, monitor usage, and avoid pasting long-lived secrets into chat unless necessary.