Back to skill
Skillv1.0.0
ClawScan security
PubMed临床医学文献检索系统 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 6, 2026, 1:28 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, required inputs, and behavior are coherent with a PubMed + JCR-based literature search and analysis tool; nothing requests unrelated credentials or installs arbitrary code.
- Guidance
- This skill appears coherent and focused on PubMed+JCR literature retrieval. Before installing or using it: 1) Ensure the execution environment you plan to use has Python and pandas (the SKILL.md assumes these but the manifest doesn’t list them). 2) Be prepared to provide a JCR Excel file — review that file for sensitive content before uploading. 3) Confirm the local override rule (the Int J Surg → Q2 adjustment) is acceptable for your use. 4) Expect PubMed API rate limits; for large jobs ensure batching is handled. 5) Always verify returned PMIDs and read source abstracts/full texts for clinical decisions — automated ranking is a triage aid, not a substitute for manual review.
Review Dimensions
- Purpose & Capability
- okName/description (PubMed literature search + JCR-based ranking) match the SKILL.md: the instructions describe constructing MeSH-based queries, calling NCBI Entrez (ESearch/ESummary/EFetch), ingesting a JCR Excel file, and ranking results by relevance/JCR/year — all consistent with the stated purpose.
- Instruction Scope
- noteInstructions stay within the stated purpose (query construction, PubMed API calls, analysis of top-50 papers). They explicitly require a user-provided JCR Excel file and describe using pandas for processing. The SKILL.md does not instruct the agent to read unrelated system files or secrets. Minor issue: the doc assumes ability to run Python/pandas and perform HTTP calls but the skill's manifest does not declare these runtime dependencies.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing in the SKILL.md directs downloading arbitrary archives or third-party installers.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The only external access is to the public NCBI Entrez API (expected) and to a user-supplied JCR Excel file (document data). No unrelated secrets are required.
- Persistence & Privilege
- okThe skill is not always-on and does not request system-wide persistence or modify other skills. Autonomous invocation is allowed (platform default) but is not combined with other concerning privileges.