Skillv1.0.0

ClawScan security

pubmed-paper-monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 13, 2026, 3:50 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly implements a PubMed/ISSN monitor, but there are multiple incoherent or sloppy elements (hardcoded contact email, malformed install metadata, SKILL.md requirements that the script does not implement) that warrant caution before using it.
Guidance: This skill appears to implement a PubMed ISSN-based monitor but has several red flags you should consider before installing: (1) the code hardcodes a third‑party email address (Entrez.email) — you should replace it with your own contact or make it configurable; (2) the SKILL.md install line is malformed and may not install Biopython automatically — ensure Biopython is installed from a trusted source; (3) SKILL.md requires behavior (3 retries, exclusive use of monitor.py) that the script does not implement — expect runtime mismatches; (4) the skill will write full reports to your Desktop when >20 articles — review what data it will store and whether that is acceptable. If you proceed, ask the author to (a) remove or make the Entrez.email configurable, (b) fix the install metadata, and (c) add clear retry/failure behavior or allow fallback sources so the instructions and code match. If you cannot validate those fixes, treat the skill as untrusted or run it in an isolated environment.

Review Dimensions

Purpose & Capability: noteThe code (monitor.py) and SKILL.md align with the stated purpose: searching NCBI/Entrez for journals and PubMed articles via ISSN or journal name. The script imports Biopython (Bio.Entrez), which is a reasonable dependency for this purpose. However the SKILL.md metadata contains a malformed install line ('uv pip install biopython') instead of a clear install step, and the script hardcodes Entrez.email to a third-party personal email rather than allowing the user to supply their own contact address — this is unexpected and should have been declared as a configurable parameter.
Instruction Scope: concernSKILL.md mandates strict behavior: use monitor.py only, avoid Crossref/internal search unless 'monitor.py fails after 3 retries', and require immediate bilingual translation plus saving full reports to the Desktop if >20 articles. The monitor.py implementation contains no retry logic or failure-count reporting, so the '3 retries' rule cannot be satisfied by the script as provided — this is an inconsistency. The requirement that the agent perform translations itself (rather than calling a translation API) is a functional constraint but not inherently dangerous; however the instructions force writing potentially large, unencrypted data to the user's Desktop which may have privacy implications.
Install Mechanism: noteThere is no formal install spec in the package; the skill is instruction-only plus a Python script. The SKILL.md metadata suggests installing Biopython (which the script needs) but the entry is malformed ('uv pip install biopython') and therefore unreliable as an automated install instruction. Because the dependency is a normal PyPI package and there are no downloads from unknown URLs, install risk is low if the dependency is installed from a trusted source — but the metadata mismatch is sloppy and could break deployment.
Credentials: concernThe skill requests no environment variables or credentials, which is appropriate. However the code hardcodes Entrez.email to 'chenghan_xiao@hotmail.com' — this is a privacy/attribution concern (network requests will be attributed to that email at NCBI) and is unexpected for a user-facing skill. The skill does not provide a documented way for the user to supply their own email/contact or to configure API rate/settings; that reduces proportionality and control for the end user.
Persistence & Privilege: okThe skill does not request persistent privileges (always:false) and does not modify other skills or system config. It can be invoked autonomously by the agent (disable-model-invocation:false) which is the platform default — this alone is not a new risk given the other concerns, but note the skill's instructions mandate automatic writing of reports to the Desktop which increases its potential to persist user data.