ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Research Synthesis

v1.0.0

Enables systematic literature searching, decomposes research questions, synthesizes findings, and produces structured summaries for academic topics.

0· 45·0 current·0 all-time
by@chunxiaoxx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (systematic literature searching and synthesis) match the SKILL.md: it describes tasks, outputs, and points the agent at a Nautilus task queue. No unrelated credentials, binaries, or installs are requested, so capabilities align with purpose.
Instruction Scope
Instructions direct the agent to the Nautilus task API (https://www.nautilus.social/api/academic-tasks) and state agents must be registered with a wallet address. The SKILL.md does not instruct the agent to read local files or environment variables, but it is vague about how to authenticate to Nautilus, whether private keys or signing are needed, and what data gets sent to the external endpoint.
Install Mechanism
No install spec and no code files (instruction-only). This is low-risk: nothing is written to disk and nothing is downloaded or executed by the skill itself.
Credentials
The skill declares no environment variables or credentials, which is proportionate. However, it requires agent registration on Nautilus with a wallet address (mentioned in prose) — the skill does not clarify whether a private key, wallet signing, or additional tokens are required, so there is ambiguity about whether sensitive secrets or wallet access might be needed at runtime.
Persistence & Privilege
always is false and the skill does not request persistent system modifications or access to other skills' configs. Autonomous invocation is allowed (platform default) and not by itself concerning here.
Assessment
This skill appears to do what it says (connect to a Nautilus task queue and produce literature syntheses) and contains no installers or requested env variables — that reduces risk. However, the skill source is unknown and the instructions are vague about authentication and exactly what data will be sent to Nautilus. Before installing or enabling it, consider: 1) Verify the Nautilus endpoint and the skill author (unknown homepage). 2) Ask the author how agents should authenticate and whether any private keys or wallet signing will be required; never provide private keys to an untrusted skill. 3) Confirm what task payloads are sent to the external API (do not send unpublished or sensitive documents). 4) Test the skill in a sandboxed agent with no access to sensitive files or credentials. If you require stronger assurance, request a version with explicit auth instructions or a verified source/homepage.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f60r2g1954vwrtz7qhsxwnn8402cj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments