ClawHub

semantic-scholar

PassAudited by ClawScan on May 1, 2026.

Overview

This skill appears to be a purpose-aligned Semantic Scholar helper that makes disclosed API calls, optionally uses an API key, and saves scholarly metadata locally.

Before installing, be comfortable with the skill making live requests to Semantic Scholar and writing result files. Use narrow queries and limits for bulk jobs, keep any API key in an environment variable, and install Python dependencies only from trusted sources.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI02: Tool Misuse and Exploitation
What this means

When invoked, the skill can send search queries or paper IDs to Semantic Scholar and save returned metadata to local JSONL/CSV files.

Why it was flagged

The helper makes live Semantic Scholar API calls for bulk search; this is disclosed and central to the skill, but broad searches can consume API quota and create large output files.

Skill content
BASE_URL = "https://api.semanticscholar.org/graph/v1/paper/search/bulk"
Recommendation

Use scoped queries, minimal fields, and page or result limits for large jobs; confirm storage expectations before broad harvesting.

Low
#ASI03: Identity and Privilege Abuse
What this means

If the environment variable is set, requests made by the scripts will authenticate to Semantic Scholar using that key.

Why it was flagged

The scripts optionally use a local Semantic Scholar API key and attach it as the expected x-api-key header; no hardcoded key, unrelated credential use, or credential logging is shown.

Skill content
api_key = os.getenv("SEMANTIC_SCHOLAR_API_KEY", "").strip() ... headers["x-api-key"] = api_key
Recommendation

Store the API key in the environment rather than prompts or files, and use a key intended only for Semantic Scholar access.

Info
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

A user may need to install Python packages before running the bundled scripts.

Why it was flagged

The script documents manual, unpinned dependency installation; this is common for helper scripts but users should install dependencies from trusted package sources.

Skill content
Install
-------
pip install requests pandas
Recommendation

Install dependencies from trusted sources and consider pinning versions in your own environment if reproducibility matters.