pubmed2blog
ReviewAudited by ClawScan on May 10, 2026.
Overview
The PubMed-to-blog workflow is coherent, but the skill asks agents to set up recurring cron automation and relies on an unreviewed global npm CLI plus provider API keys.
Install only if you trust the pubmed2blog npm package and want an external CLI for PubMed-based article generation. Run setup yourself, use limited provider API keys, review healthcare content before publishing, and do not allow cron scheduling unless you explicitly want recurring unattended generation and know how to disable it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could set up ongoing content generation that continues after the immediate task, potentially consuming API credits and creating medical blog drafts without the user realizing it.
This instructs the agent to create persistent scheduled automation, but the artifacts do not specify that this requires explicit user consent, scope, frequency, review, or removal instructions.
5. Schedule via cron for regular content generation
Only schedule cron jobs when the user explicitly asks for recurring generation, and document the schedule, output location, review process, and removal command.
A global npm CLI runs code on the user's machine, and future or incorrect package versions could behave differently from what the skill describes.
The skill depends on a globally installed npm CLI that is not included in the provided artifacts for review. This is central to the skill purpose, but users should verify the npm package and publisher before installing.
install: npm install -g pubmed2blog
Verify the npm package source, publisher, and version before installation; prefer a pinned version if available.
Provider API keys may incur cost or grant account access if misused by the installed CLI or recurring automation.
The skill expects provider API keys for generation. That is purpose-aligned, but the registry metadata declares no primary credential or required environment variables.
Interactive setup for API keys and preferences. ... Supports Anthropic, OpenAI, and Z.AI providers.
Use limited-scope provider keys where possible, enter them only through trusted setup flows, and avoid combining stored keys with unattended cron jobs unless intentionally configured.