ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

R Stats

v1.1.0

82 statistical analysis methods in R — regression, survival, Bayesian, meta-analysis, causal inference, SEM, IRT, clinical trial design, and more. JSON spec...

0· 154·0 current·0 all-time
by@cuiweig
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (82 R methods) match the declared requirements: Rscript and bash are reasonable and sufficient for driving R analyses and package installs. The referenced R packages and method table in the repo are consistent with the stated capabilities.
Instruction Scope
SKILL.md gives a bounded workflow: confirm dataset, run a local schema script, build a JSON spec, run analyze, and read output files. Those steps are within scope for a stats skill. However the runtime flow depends on executing scripts (scripts/run-rstats.sh and many install-*.R files). The provided SKILL.md listing shows many example data/spec files but the script contents were not fully visible here. Any shell script executed by the agent can perform arbitrary actions (network I/O, exec other commands, read arbitrary files) so their exact behavior should be inspected before use.
Install Mechanism
No platform install spec (instruction-only) reduces supply-chain risk. The skill likely installs R packages via included install-*.R scripts as needed; this is expected for R-based tooling. Still, package installation is networked (CRAN/bioconductor/GitHub) and the install scripts should be checked for unusual download URLs, URL shorteners, or external servers.
Credentials
The skill declares no required environment variables, no primary credential, and no config path access. That is proportional: statistical analyses typically do not require secrets. There is no evidence the SKILL.md asks for unrelated credentials or reads environment variables beyond the declared binaries.
Persistence & Privilege
always:false and no claims to modify other skills or global agent configuration. The skill will run autonomously by default (normal for skills), but it does not request permanent platform-level privileges.
What to consider before installing
This skill appears internally consistent for R-based statistical workflows, but it relies on executing included shell/R scripts. Before installing or running on real or sensitive datasets: 1) Inspect scripts/run-rstats.sh and all install-*.R and other scripts for network calls (curl/wget/git/R devtools::install_github), data exfiltration (HTTP POSTs, unusual endpoints), or commands that access files outside the declared output_dir. 2) Verify that R package installs come from CRAN/Bioconductor or trusted GitHub repos (no URL shorteners or personal servers). 3) Run the skill first in an isolated environment (container or sandbox) with non-sensitive example data. 4) If you want to allow autonomous invocation, prefer giving it only non-sensitive access or require manual approval for running scripts. If you’d like, provide the contents of scripts/run-rstats.sh and any install-*.R files and I will review them for unsafe operations.

Like a lobster shell, security has layers — review code before you run it.

latestvk9704he3e86tdbxc1s11s8wf1h83sa4j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
BinsRscript, bash

Comments