academic-paper-citation

This skill appears to implement the advertised features, but inspect and test it carefully before using on real work: - Don’t run these scripts as-is on your primary files. Many scripts have hardcoded absolute paths (/Users/openclaw2026/.qclaw/workspace/...) and will read/write those locations rather than honor CLI args — this can overwrite data unexpectedly. - Review and modify code to accept and respect explicit input/output arguments (or run in a disposable environment). Replace hardcoded paths with relative paths or explicit parameters. - Backup any documents in the referenced workspace before running the skill. Check for files like task_status.json, references.json that the scripts will read — they may contain project metadata. - Run the tool in a sandbox/container or throwaway VM first so you can observe file reads/writes without exposing your real workspace. - The only external install requested is the npm 'docx' package — verify you trust that dependency and install it in an isolated Node environment (nvm, project-local node_modules), not system-wide. - If you plan to allow autonomous invocation, be cautious: although the skill does not exfiltrate data over the network, autonomous runs could read/write many local files due to hardcoded paths. Consider disabling autonomous invocation until you remediate the path-handling issues. If you want, I can: - point out all places in the code that use hardcoded paths so you can patch them, - create a checklist of minimal safe changes to make the scripts accept arguments and avoid surprise file writes, - or suggest a safe wrapper to run the skill in a temporary directory.