Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
My Research Lab
v1.8.0My Research Lab 我的研究院 — Your personal research lab for any topic you care about. Auto-running with cron scheduling, self-evolving. From discovery to brainsto...
⭐ 0· 97·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be an autonomous, cron-driven research lab and requests SMTP_USER/SMTP_PASS and two config paths (~/.codebuddy/memory and ~/.codebuddy/automations). SMTP credentials are reasonable for an email-pushing research-digest feature. The config paths are plausible for storing memory/automations, but the prefix '.codebuddy' is external to the skill name ('my-research-lab') and suggests it will read/write data belonging to a different subsystem; that deserves scrutiny.
Instruction Scope
SKILL.md instructs the agent to read and update user memory, create and modify cron tasks, perform web searches/fetches, access logs and error diagnostics, store archives locally, and send HTML emails via SMTP. Many of these actions are coherent with the stated purpose, but the instructions are broad and include automated repair actions ('must recreate cron if missing', 'auto-fix channels') and vague reads of '错误日志' ('read and diagnose last execution error logs') without clear path restrictions — this grants the skill wide discretionary access to system state and files beyond a narrowly scoped application folder.
Install Mechanism
Instruction-only skill with no install spec or downloaded code. That limits supply-chain risk because nothing new is written to disk by an installer. The runtime instructions themselves (create cron jobs, write files) are the main risk surface rather than an install mechanism.
Credentials
Only SMTP_USER and SMTP_PASS are declared as required env vars, which fits the email-sending functionality. However the skill requires read/write access to specific config paths (~/.codebuddy/memory and ~/.codebuddy/automations). Those paths may contain unrelated secrets or tokens from other skills (the '.codebuddy' name suggests a shared platform memory). Requesting those paths without explicit scope increases risk of accessing unrelated credentials or private data.
Persistence & Privilege
The skill will create and manage cron jobs and persist archives locally. Creating system scheduled tasks and auto-fixing them is a high-impact capability. Although 'always' is false and autonomous invocation is the platform default, the combination of filesystem access (~/.codebuddy/...), cron modification privileges, and SMTP credentials gives it significant persistent presence and potential to act without frequent user interaction. The SKILL.md promises user confirmations for direction selection, but also instructs '能自己查的不问用户' which pushes for fewer user prompts — a potential scope creep toward more autonomous changes.
What to consider before installing
Before installing: 1) Inspect the contents of ~/.codebuddy/memory and ~/.codebuddy/automations to confirm they don't hold unrelated secrets or tokens (backup first). 2) If you must provide SMTP creds, use an app-specific password or dedicated mailbox with limited privileges and monitor/follow strong revocation steps. 3) Be prepared that the skill will create and modify cron jobs — back up your crontab and review any newly created job entries before allowing them to run autonomously. 4) Ask the publisher (or request the exact prompts/paths the skill will write) to clarify which files it will read/write and where it will store logs. 5) If you have sensitive data in shared memory used by other skills, avoid granting this skill access until you can scope its storage to an isolated directory. If you are uncomfortable with autonomous auto-repair or background scheduling, do not install or run it in an unprivileged/test environment first.Like a lobster shell, security has layers — review code before you run it.
latestvk975p1h7rwn5ce99chk3h0s5d1845f8n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔬 Clawdis
EnvSMTP_USER, SMTP_PASS
Config~/.codebuddy/memory, ~/.codebuddy/automations