ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SemanticScholar Search Skill

v0.1.0

Search academic papers, authors, and citations with detailed metadata using the Semantic Scholar API, supporting queries, paper details, author profiles, and...

1· 491·2 current·2 all-time
by@jackkuo666
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, README, requirements.txt, and the Python code all align: the code uses the semanticscholar library to search papers, fetch paper/author details, and citations. Declared dependencies (semanticscholar, requests) match the implementation.
Instruction Scope
SKILL.md instructs the agent to perform searches, get paper/author details, and output results (console/json). The instructions and examples reference only Semantic Scholar API and local output files; there are no instructions to read unrelated system files, sweep environment variables, or send data to unexpected endpoints.
!
Install Mechanism
The registry contains no formal install spec, but README recommends installation methods that involve fetching code from an external GitHub user and running a remote installer (curl -LsSf https://astral.sh/uv/install.sh | sh). Executing remote install scripts (curl | sh) or using npx to pull directly from an external repo increases risk because arbitrary scripts could run on the host. The GitHub owner is not authoritative/verified in the metadata, and no release host verification is provided.
Credentials
The skill requires no environment variables by default and only documents an optional SEMANTIC_SCHOLAR_API_KEY for higher rate limits. That is proportionate for the described API usage. The code does not request unrelated secrets or multiple unrelated credentials.
Persistence & Privilege
Skill flags indicate no forced always-on presence; it is user-invocable and allows normal autonomous invocation. The package does not request system-wide config modifications in the files provided. No evidence it modifies other skills or global settings.
What to consider before installing
The skill's code and documentation are internally consistent with a Semantic Scholar client, but exercise caution before installing from an unverified source. Recommendations: - Prefer cloning the repository and reviewing files locally rather than running remote installers (avoid curl | sh). - Inspect the GitHub repo (owner JackKuo666) and commit history; confirm the code matches the packaged files. - Install dependencies inside an isolated virtual environment or sandbox (venv or container) rather than system-wide. - Avoid running the recommended remote installer (astral.sh) unless you trust that third-party tool; install uv or tools from their official pages or package managers instead. - If you need higher rate limits, provide an official Semantic Scholar API key only to the local process in a safe environment. If you can verify the repository and avoid running unreviewed remote scripts, the skill appears reasonable; if you cannot verify the source, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97edh6mvbmzee8apc4w6xatex81z5z3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments