Skillv1.0.0

ClawScan security

科研课题成果汇编 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 7:53 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions are coherent with its stated purpose of compiling research outcomes — it is instruction-only, requests no secrets or installs, and its web-research and Word-export steps match the described workflow.
Guidance: This skill appears coherent and focused on assembling research outputs. Before installing/using: (1) be prepared to provide the project files you want compiled (the skill expects user materials); (2) confirm you want the agent to perform web searches — it will consult public and institutional sites (some are paywalled like CNKI) and may need you to supply subscription content; (3) verify all citations and quoted material the agent adds (LLMs can hallucinate sources or fabricate details when originals are unavailable); (4) review the 'docx' skill or export mechanism before generating documents to understand where files are stored/transmitted; (5) do not upload sensitive or unpublished data unless you are comfortable sharing it with the agent. If you want stronger safety guarantees, require manual confirmation at each phase (the skill already enforces Phase 2 confirmation) and provide source documents rather than relying solely on web supplementation.

Review Dimensions

Purpose & Capability: okName/description (compiling research outcomes into a structured Word file) match the SKILL.md and reference templates. The only external capability it relies on is web research and the 'docx' skill for Word export, which are appropriate for the stated goal.
Instruction Scope: noteInstructions direct the agent to ingest user-provided materials, perform targeted online searches (CNKI, government sites, World Bank, etc.), construct templates, and iteratively produce content. This is within scope, but it does grant the agent discretion to fetch external documents — users should be aware the agent will attempt online retrieval and synthesize findings (which may produce fabricated citations if sources are unavailable). The skill explicitly requires user confirmation before deeper processing (Phase 2→3), which limits unwanted autonomous escalation.
Install Mechanism: okInstruction-only; no install spec, no downloads, no code files to execute. Lowest-risk installation footprint.
Credentials: okNo environment variables, credentials, or config paths are requested. The referenced external sources (CNKI, WanFang, etc.) may be paywalled or require user access, but asking to consult them is reasonable for the task and does not presume secret access.
Persistence & Privilege: okalways:false and no claims to modify other skills or system settings. The skill suggests using another 'docx' skill to produce files; users should review that skill's behavior separately, but this skill itself does not request elevated persistence or privileges.