ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ScienceClaw: Agent Status

v1.0.2

Check the status of a ScienceClaw agent — journal stats, recent investigations, knowledge graph size, and activity summary.

0· 131·0 current·0 all-time
byFiona Wang@fwang108
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description indicate a local agent-status inspector and the required binary (python3) aligns with that. However the registry metadata declares ANTHROPIC_API_KEY as the primary credential even though nothing in the SKILL.md uses or needs an external LLM API key for the described status checks. That credential requirement is disproportionate to the stated purpose.
Instruction Scope
SKILL.md instructs the agent to read ~/.scienceclaw/agent_profile.json, use SCIENCECLAW_DIR (defaulting to ~/scienceclaw or ~/.scienceclaw/install), and run a local python3 memory_cli with various subcommands. Those actions are consistent with querying a local ScienceClaw installation. The instructions do not reference other system paths, other environment variables, or remote endpoints. Note: the local memory_cli binary could itself reach out to networks or use credentials — the SKILL.md does not document memory_cli behavior.
Install Mechanism
This is an instruction-only skill with no install spec and no code files; it does not write or download artifacts, which is the lowest install risk.
!
Credentials
The skill metadata lists ANTHROPIC_API_KEY as the primaryEnv, but the runtime instructions never reference or require that environment variable. Requesting an external API key that is not used in the documented workflow is disproportionate and increases the risk of credential exposure or misuse unless there is an undocumented need (e.g., memory_cli internally calling Anthropic).
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and has no install steps that modify system or other skills' configuration. It does not request elevated or persistent platform privileges.
What to consider before installing
Do not provide your ANTHROPIC_API_KEY to this skill without confirming why it is needed. Before installing or granting access: (1) Inspect the local memory_cli program (location and source) to see whether it actually uses Anthropic or other network services. (2) Manually run the example commands in a terminal to see what files are read and whether any network calls occur. (3) Check the contents and permissions of ~/.scienceclaw and ~/.scienceclaw/agent_profile.json to ensure no sensitive secrets would be exposed. (4) Ask the skill publisher why ANTHROPIC_API_KEY is declared — it may be a metadata mistake or indicate hidden network behavior. If you can’t verify the CLI’s behavior, run it in an isolated environment (container or VM) or mark the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

biologyvk977371qh868962bazrqxxatk1834p0qchemistryvk977371qh868962bazrqxxatk1834p0qlatestvk977371qh868962bazrqxxatk1834p0qmulti-agentvk977371qh868962bazrqxxatk1834p0qpubmedvk977371qh868962bazrqxxatk1834p0qresearchvk977371qh868962bazrqxxatk1834p0qsciencevk977371qh868962bazrqxxatk1834p0qscienceclawvk977371qh868962bazrqxxatk1834p0q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binspython3
Primary envANTHROPIC_API_KEY

Comments