Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
My PubMed Search
v1.0.0简易PubMed搜索技能。使用web搜索和API调用检索PubMed文献。当用户要求"搜索PubMed文献"、"查找医学论文"、"医学文献检索"时使用。
⭐ 0· 49·0 current·0 all-time
by@hollyya
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (PubMed search) matches the included code and templates: the Python script calls NCBI E-Utilities and templates/reference docs are PubMed-relevant. Nothing in the code requests unrelated cloud credentials or unusual system access.
Instruction Scope
SKILL.md instructs the agent to run PowerShell scripts (scripts/pubmed_search.ps1, scripts/test_pubmed_api.ps1) and to use OpenClaw web_search/web_fetch tools, but those PowerShell files are not present in the package and the only provided script is scripts/pubmed_search.py. This mismatch could cause the agent to fail or attempt other remediation (download/execute missing files) and indicates the instructions are out-of-sync with the shipped implementation. SKILL.md also references using an API key but does not specify how the agent should obtain or store it.
Install Mechanism
No install spec is included (instruction-only plus code file). That is low-risk: nothing is downloaded or installed by the registry. The shipped Python script has no obfuscated code or external download endpoints. Note: the script uses the 'requests' package which may not be present in all runtimes and would fail unless available.
Credentials
The skill declares no required environment variables or credentials. The code accepts an optional NCBI api_key and an email address but does not read unspecified secrets. There is no request for unrelated tokens or system config paths.
Persistence & Privilege
The skill does not request always:true and is user-invocable. It does not appear to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with broad credentials or other red flags here.
What to consider before installing
Do not install blindly. The main issue is that SKILL.md tells the agent to run PowerShell scripts and to use OpenClaw web_search/web_fetch, but the package only contains a Python script (scripts/pubmed_search.py). Before installing or enabling this skill: 1) Confirm with the author whether the missing PowerShell scripts are intentional or a packaging error; 2) If you plan to run it, inspect/execute the included Python script locally in a sandbox to verify behavior and dependencies (requests); 3) Check how an API key would be provided — prefer passing it explicitly (not hardcoded) or via a well-scoped secret managed by you; 4) Be cautious if the agent attempts to download or execute missing scripts automatically — that would increase risk. If you need platform portability, ask the maintainer for a consistent, up-to-date SKILL.md matching the shipped files.Like a lobster shell, security has layers — review code before you run it.
latestvk977hvg52ry95k9tc40sh5gnz984cwxf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.