!
Purpose & Capability
The skill's name and description describe a 23-stage autonomous research pipeline and the code + docs align with that purpose (LLM use, literature search, experiment modes). However the package/skill metadata declares no required environment variables or required binaries while the code and README clearly expect an LLM API key (OPENAI_API_KEY), a 'researchclaw' CLI binary, and optionally a Python environment/SSH credentials for remote execution. The mismatch between declared requirements and actual runtime needs is incoherent.
!
Instruction Scope
SKILL.md / README instruct users to install Python deps and set OPENAI_API_KEY and document sandbox/ssh_remote modes. The runtime code copies a config template to config.yaml and then runs an external CLI via child_process.exec (researchclaw run ...). The code constructs a shell command by embedding the user-supplied topic directly into a shell string (--topic "${topic}"), which makes it vulnerable to command injection if an attacker or malformed input provides a crafted topic. The pipeline can execute generated experiment code (README warns about code execution), and remote/SSH modes imply use of credentials not declared in metadata. Overall the instructions ask the agent/user to perform actions (install packages, provide API keys, potentially supply SSH hosts/credentials) that are not surfaced in the skill manifest.
ℹ
Install Mechanism
There is no automated install spec (instruction-only skill + code file) which reduces some risk, but package.json and README include manual installation steps (pip install -e .) and expect a separate 'researchclaw' CLI to be present. No remote downloads or obscure URLs are used in the provided files. Because installation is manual, the user will need to run pip/npm commands themselves — that minimizes silent disk writes but still requires care.
!
Credentials
The skill metadata lists no required environment variables or primary credential, but config.example.yaml and README clearly expect an LLM API key (OPENAI_API_KEY) and optionally Semantic Scholar API key and SSH credentials for remote mode. The code also reads process.env.OPENCLAW_WORKSPACE. Requesting LLM API keys and optional SSH credentials is plausible for the described functionality, but the manifest should declare them; omission is a proportionality/visibility problem. The skill would also run arbitrary experiment code (local or remote), which may require additional privileges or secrets that are not declared.
✓
Persistence & Privilege
The skill does not request permanent inclusion (always:false) and does not modify other skills or global agent settings. It writes a config.yaml in its own skill directory and writes artifacts into an artifacts directory inside the workspace — this is normal for its purpose. Autonomous invocation is allowed (platform default) but not an additional privilege here.
What to consider before installing
Key points before installing or running this skill:
- Manifest mismatch: The skill metadata does NOT declare required env vars or the external 'researchclaw' CLI, but the code/README expect OPENAI_API_KEY, optional S2 API key, Python deps, and a researchclaw binary. Treat these as required and confirm them before use.
- Command injection risk: The skill builds a shell command embedding the provided topic string and passes it to child_process.exec. If untrusted input is used for the topic, an attacker could inject arbitrary shell commands. Only run this in an isolated environment and avoid untrusted topics.
- Code execution risk: The pipeline is designed to generate and run experiment code (sandbox/ssh_remote modes). Start in 'simulated' mode first and manually review any generated code before executing it locally or on a remote host.
- Secrets & remote access: If you provide API keys or SSH credentials, ensure they are scoped/minimized and do not reuse high-privilege keys. The skill does not declare these in its manifest — add them to config.yaml or env vars yourself after reviewing the code.
- Broken/unsafe code: The index.js file contains a likely syntax bug in updateConfig (malformed function signature) which may cause runtime failures; review and test the code before relying on it.
- Best practices before use: audit the repository (especially the external 'researchclaw' CLI it executes), run in an isolated VM/container, keep API keys limited, run first with simulated mode and verify generated artifacts, and fix or sanitize the command-construction to avoid shell injection (e.g., use execFile or pass args as an array).
