Deep Researcher
v1.0.0Conduct iterative, hypothesis-driven deep research combining web, academic, and contradiction analysis to produce scientific Markdown reports with sourced ev...
⭐ 4· 849·7 current·7 all-time
byHagen Hoferichter@h4gen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name and description (iterative, multi-source research producing Markdown reports) match the instructions: running other search/retrieval skills and combining their outputs. Required binaries (node, npx, curl, jq) and the two API keys (TAVILY_API_KEY, PERPLEXITY_API_KEY) are consistent with the declared upstream tools and the command examples that invoke node and bash scripts. The skill explicitly coordinates other skills rather than performing unrelated actions.
Instruction Scope
SKILL.md limits behavior to research workflow steps: question decomposition, running web/academic searches, extracting URLs, and contradiction resolution. It does instruct the agent to fetch arbitrary web pages for extraction (expected for research) and to install/invoke upstream skill scripts. It does not tell the agent to read unrelated files, sweep system state, or exfiltrate environment variables beyond the two declared keys. The explicit 'do not start synthesis without explicit scope' and the input collection requirements are appropriate controls.
Install Mechanism
The skill is instruction-only (no install spec), but SKILL.md instructs using npx to install/update upstream skills (npx -y clawhub@latest install ...). Using npx/npm to fetch and run code is a common pattern but carries moderate risk because it pulls packages from the network at runtime. The install commands point to a public registry (npm) rather than obscure URLs, which is expected, but you should review the upstream packages (deepresearchwork, tavily-search, literature-search, perplexity-deep-search) before executing installs in a production environment.
Credentials
Only two API keys are required (TAVILY_API_KEY and PERPLEXITY_API_KEY), which aligns with the skill's use of Tavily and Perplexity services. No unrelated credentials, system secrets, or config paths are requested. The skill does not declare a primaryEnv even though two keys are required; that is a minor metadata gap but not a substantive red flag. Preflight checks merely verify presence/length of keys.
Persistence & Privilege
always is false and the skill does not request permanent or elevated agent/system privileges. It instructs installing and invoking other skills but does not instruct modifying other skills' configs or system-wide settings. Autonomous invocation (disable-model-invocation: false) is the platform default and by itself is not a problem here.
Assessment
This skill appears coherent for its stated purpose, but before installing or running it you should: (1) Confirm the TAVILY and PERPLEXITY API keys you provide are scoped/least-privilege and are revocable; (2) Review the upstream packages (deepresearchwork, tavily-search, literature-search, perplexity-deep-search) and their install scripts because the skill instructs npx to fetch and run them at install time; (3) Prefer testing installs in an isolated environment (container or VM) to avoid unintended network activity or filesystem changes; (4) Be aware the skill will fetch and extract arbitrary web pages—avoid giving it internal/private URLs or secrets to include in queries; (5) Note the literature-search upstream tool contains a quirky behavior (it prepends a prompt phrase) — this is an implementation detail but worth reviewing for any unexpected prompt engineering. If you want higher assurance, ask for the exact versions and source locations of each upstream package before running the npx installs.Like a lobster shell, security has layers — review code before you run it.
latestvk976a2qqfmj5vd0t6kj85r4kys814zwc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
microscope Clawdis
Binsnode, curl, jq, npx
EnvTAVILY_API_KEY, PERPLEXITY_API_KEY