v0.1.1

sciverse agent tools

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 11:41 AM.

Analysis

The skill mostly matches its academic search purpose, but it uses a bearer API token and sends it to a configurable remote endpoint while the registry requirement summary says no credentials are required.

GuidanceBefore installing, confirm that you trust the SciVerse endpoint and publisher, correct or account for the registry credential-metadata mismatch, and use a scoped/revocable SCIVERSE_API_TOKEN. The skill appears designed for legitimate academic retrieval, but avoid setting SCIVERSE_BASE_URL to an untrusted server and verify important citations returned by the tool.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

Typical chain: semantic_search → pick chunk → read_content(doc_id, offset).

The skill exposes chainable retrieval tools that take user or agent-selected arguments and call a remote API. This is purpose-aligned for literature RAG, but users should understand that autonomous agents can perform searches and content reads through these tools.

User impactAn agent may spend API quota or retrieve more paper content than the user expected, but the tools are fixed to retrieval endpoints and do not mutate local files or accounts.

RecommendationUse the tools for intended literature retrieval tasks and review agent-chosen query, doc_id, offset, and limit values when cost or disclosure matters.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

metadata

Source: unknown
Homepage: none
Registry metadata: Version: 0.1.1

The registry provenance is incomplete and the registry version differs from the bundled SKILL.md/manifest version 0.1.2. There is no install script or external dependency, so the issue is a provenance/packaging ambiguity rather than evidence of malicious supply-chain behavior.

User impactUsers have less registry-level assurance about the origin and exact packaged version of a credential-using skill.

RecommendationVerify the publisher and homepage before supplying a token, and align registry source, homepage, and version metadata with the bundled files.

Human-Agent Trust Exploitation

SeverityInfoConfidenceMediumStatusNote

SKILL.md

For agent workflows that need citation-grade scientific literature.

The wording encourages trust in the returned literature. This is aligned with the academic retrieval purpose, but users should still verify sources and citations.

User impactUsers may over-rely on retrieved snippets or assume every returned result is authoritative and correctly interpreted.

RecommendationVerify important citations, inspect source papers where needed, and treat search results as evidence to review rather than guaranteed truth.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

scripts/_common.mjs

const TOKEN = process.env.SCIVERSE_API_TOKEN;
const BASE_URL = (process.env.SCIVERSE_BASE_URL ?? "https://sciverse.space/api").replace(/\/$/, "");
...
authorization: `Bearer ${TOKEN}`

The script uses a bearer API token and sends it to the configured API base URL. That credential use is sensitive, and it conflicts with the supplied registry requirement summary that lists no required environment variables and no primary credential.

User impactA SciVerse API token may be used by the agent and sent to the configured endpoint; if the base URL is changed or the registry disclosure is relied on, the user may misunderstand where the credential goes.

RecommendationCorrect the registry credential metadata, keep SCIVERSE_BASE_URL on the official or trusted endpoint, and use a scoped/revocable SciVerse token.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Natural-language semantic search returning relevant paper chunks for RAG-style answering.

The skill intentionally injects retrieved paper chunks into an agent's context for RAG. This is core functionality, but retrieved text should be treated as source material, not as instructions to the agent.

User impactRetrieved academic text could influence the agent's response; if treated uncritically, irrelevant or adversarial text could affect answers.

RecommendationTreat returned chunks as citations/data only, verify important claims, and do not let retrieved text override user or system instructions.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

scripts/_common.mjs

const BASE_URL = (process.env.SCIVERSE_BASE_URL ?? "https://sciverse.space/api").replace(/\/$/, "");
...
const res = await fetch(url, init);

The skill communicates with a remote provider API, and the destination can be overridden with SCIVERSE_BASE_URL. This is disclosed and purpose-aligned, but users should notice the provider/data boundary.

User impactSearch queries, document identifiers, and the bearer token are sent to the configured SciVerse-compatible endpoint.

RecommendationUse only trusted SciVerse API endpoints or trusted self-hosted gateways, and avoid sending sensitive private queries unless the provider terms are acceptable.