ℹ
Purpose & Capability
SKILL.md and README claim multi-source retrieval (arXiv/PubMed/Google Scholar) and features like SCI-format output and fund-support modules. The included Python code implements a working arXiv search and analysis pipeline but I only see arXiv-specific network calls; no PubMed/Google Scholar implementations are present in the visible code. Also package/metadata versions differ (registry metadata 1.0.0 vs package.json 2.0.0). These mismatches are unexplained and reduce confidence in the stated capabilities.
✓
Instruction Scope
The runtime instructions in SKILL.md are narrowly scoped to research review workflows and do not instruct the agent to read arbitrary files, system credentials, or other unrelated resources. The skill is described as a compatibility shim forwarding to a unified 'research' entrypoint, which is a reasonable integration note.
!
Install Mechanism
There is no install spec (instruction-only) which is low-risk. However, package.json is present despite this being a Python script; it lists Python packages (requests, beautifulsoup4) under an npm manifest, which is inconsistent and could indicate sloppy packaging or mis-publishing. That mismatch is suspicious because it may lead to confusion about how to install dependencies or hide additional install steps elsewhere.
✓
Credentials
The skill requests no environment variables, no credentials, and references no config paths. The code uses only outward HTTP(S) requests to public APIs (arXiv) and does not access secrets, so requested privileges are proportionate to its stated purpose.
✓
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide settings. There is no code in the visible files that writes to other skills' configs or requests elevated privileges.
What to consider before installing
What to consider before installing:
- Capability mismatch: the SKILL.md/README advertise multi-source retrieval (arXiv, PubMed, Google Scholar) but the included Python code only implements arXiv queries. Ask the author or inspect the rest of the code to confirm support for PubMed/Google Scholar before relying on those features.
- Packaging oddness: package.json (an npm manifest) lists Python libraries and a different version than the registry metadata. This is likely a packaging mistake but could cause confusion about how to install dependencies; verify dependency installation instructions and run in an isolated environment.
- Network behavior: the script performs outbound HTTP requests to arXiv (public API). This will leak search queries and requested paper metadata to that remote service — expected for this skill, but worth noting for sensitive queries. The script uses an http arXiv endpoint; consider network encryption policies in your environment.
- Source provenance: the skill source/homepage and owner details are minimal/unknown. If you need stronger assurance, request the upstream repository, tests, or an author identity and a signed release.
- Next steps to raise confidence: confirm full implementation (PubMed/Google Scholar), correct packaging metadata or provide a proper install spec, and review the remainder of the Python file (truncated in the manifest) for any unexpected external endpoints or file I/O. If you cannot obtain those, run the skill in a sandboxed environment and avoid providing private credentials or sensitive project text as inputs.
