Scientific Graphical Abstract Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears purpose-aligned for generating SVG scientific figures, with normal but noteworthy setup, API-key, provider-data, and SVG-sanitization considerations.
This skill looks coherent for creating SVG graphical abstracts. Before installing, verify the GitHub source and use an isolated environment. If you configure API keys or provide research data, treat prompts and datasets as potentially shared with the selected AI provider. Review generated SVGs before opening, embedding, or publishing them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing directly from remote sources can expose you to changes in that repository or its dependencies.
The README asks the user to install from an external GitHub repository and optionally run a remote installer and dependency installation. This is user-directed and common, but it depends on external provenance and mutable packages.
npx skills add https://github.com/JackKuo666/scientific-graphical-abstract-skill.git ... curl -LsSf https://astral.sh/uv/install.sh | sh ... pip install -r requirements.txt
Install only from a trusted repository, review the files first, and consider pinning dependency versions or using an isolated virtual environment.
If you configure these keys, the skill may be able to use your provider account and billing quota.
The script reads optional provider API keys from environment variables. This is aligned with the advertised AI-model integrations, and the supplied artifacts do not show hardcoded keys, logging, or unrelated credential use.
"claude": os.getenv("ANTHROPIC_API_KEY"), "gpt4o": os.getenv("OPENAI_API_KEY"), "deepseek": os.getenv("DEEPSEEK_API_KEY")Use least-privilege or project-scoped API keys where possible, keep them out of shared files, and revoke them if no longer needed.
Confidential research descriptions or datasets could leave your local environment if you choose an external model-backed workflow.
The skill advertises third-party AI model support and data-driven chart generation. If model-backed generation is used, prompts or selected data may be processed by those providers, although no hidden provider endpoint is shown.
Support for Claude, GPT-4o, DeepSeek ... `--data` | Data file (CSV/JSON) for charts
Avoid sending unpublished or regulated data to external providers unless permitted, and check the provider's retention and privacy terms.
A malicious or untrusted data label could affect the generated SVG file, especially if the SVG is later opened in a browser or published on a website.
Visible SVG generation inserts text directly into SVG markup without visible XML escaping. If untrusted CSV/JSON labels or prompts are embedded, they could create malformed or active SVG content when opened in a browser or embedded elsewhere.
svg_text += f'text-anchor="{anchor}">{text}</text>'Use trusted input data, review generated SVG before sharing, and update the generator to XML-escape text and validate style/color values.