Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ResearchClaw
v1.0.0Autonomous research pipeline skill for Claude Code. Given a research topic, orchestrates 23 stages end-to-end: literature review, hypothesis generation, expe...
⭐ 0· 127·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md describes a full CLI and Python package (researchclaw CLI, researchclaw.* modules) and a 23-stage pipeline that runs code and exports artifacts, but the registry entry contains no binaries, no code files, and no install spec. The skill also references needing an LLM API key but the manifest lists no required environment variables or primary credential. This is an incoherent packaging: either the package is missing from the registry or the instructions expect tools that are not provided.
Instruction Scope
Runtime instructions tell the agent to create/modify config.yaml, read/write artifacts, execute generated experiment code via subprocess (sandbox) or run experiments remotely over SSH (ssh_remote), and to use an LLM API key from config or env. Those actions enable arbitrary code execution and remote commands. The SKILL.md does not limit or explicitly declare the credentials, SSH keys, Python interpreter, or packages required, nor does it constrain where outputs are sent.
Install Mechanism
There is no install spec and no code files. That reduces installation risk but is inconsistent with instructions that require a CLI binary and Python package. If the skill expects a preinstalled third-party package, that expectation should be declared. The absence of an install mechanism makes it unclear how the runtime components would be provided, creating a coherence problem and possible risk if users attempt to fetch/install artifacts from unknown sources to satisfy these instructions.
Credentials
Manifest lists no required env vars, yet instructions require the user's LLM API key (in config.yaml or via an env var), reference experiment.sandbox.python_path with numpy, and support ssh_remote mode (which implies SSH credentials). Required secrets/keys are not declared. The skill's ability to execute generated code and run SSH commands means access to sensitive credentials or environments would be particularly impactful; those privileges should be explicitly declared and justified.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and has no install shim, which is appropriate. However, the pipeline supports an --auto-approve flag that bypasses human gates and the skill is allowed to be invoked autonomously (platform default). Combined with the ability to execute code and perform SSH remote runs, auto-approval + autonomous invocation increases operational risk and should be constrained by the user.
What to consider before installing
This skill's docs describe a heavy, runnable pipeline (CLI + Python package) that executes generated code locally or over SSH and uses your LLM API key, but the published bundle contains only instructions and no code or install info. Before using: 1) Do not run --auto-approve or ssh_remote unless you trust the source and control the remote host/keys. 2) Ask the publisher for the canonical source repository, an install method (trusted package or GitHub release), and for explicit declarations of required environment variables (LLM key name, SSH key usage). 3) Inspect any config.yaml you create for embedded secrets and avoid putting primary API keys in unencrypted files. 4) If you test it, run in an isolated VM/container with no sensitive data and without network access to untrusted hosts. If the author cannot provide source code or a trusted install artifact, treat this skill as unsafe to run.Like a lobster shell, security has layers — review code before you run it.
academicvk97a53p7qrdbnzm3qj2abhvvms834gd6autonomousvk97a53p7qrdbnzm3qj2abhvvms834gd6latestvk97a53p7qrdbnzm3qj2abhvvms834gd6latexvk97a53p7qrdbnzm3qj2abhvvms834gd6paper-writingvk97a53p7qrdbnzm3qj2abhvvms834gd6pipelinevk97a53p7qrdbnzm3qj2abhvvms834gd6researchvk97a53p7qrdbnzm3qj2abhvvms834gd6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.