Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
cluade-scientific-writer-wrapper
v1.0.0AI-powered scientific writing tool. Generate publication-ready papers, grant proposals, posters, and more with real-time research and verified citations.
⭐ 0· 439·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with requiring python3, pip, and an ANTHROPIC_API_KEY for Claude. The skill legitimately needs to read user data files and produce outputs locally for writing tasks. Minor mismatch: SKILL.md also mentions an optional OPENROUTER_API_KEY for research lookups, but that env var is not declared in the registry metadata.
Instruction Scope
The SKILL.md tells the agent to pip install the 'scientific-writer' package at runtime and to read data files from a local data/ folder and write outputs to writing_outputs/. It also suggests creating a .env file to store API keys. These instructions permit installing and executing third-party code and reading/writing arbitrary local files—appropriate for this tool but increasing exposure. The file/secret handling (echoing keys into .env) is a minor operational risk. The reference to OPENROUTER_API_KEY is an undeclared env var the agent may try to access.
Install Mechanism
There is no formal install spec in the registry; instead SKILL.md instructs users/agents to run 'pip install scientific-writer'. Installing from PyPI (or default pip sources) is a moderate risk because it fetches and executes external code without a pinned version, checksum, or verified source. The package.json points to a GitHub repo, but the registry did not include code to inspect. No download-from-odd-URL flags, but unverified pip installs deserve caution.
Credentials
Only ANTHROPIC_API_KEY is declared as required, which is proportional for a Claude-based writer. The SKILL.md's optional OPENROUTER_API_KEY is not declared in metadata — a mismatch. The instructions also encourage storing secrets in a .env file (local persistent secret storage), which may be undesirable depending on your environment.
Persistence & Privilege
The skill does not request always:true, does not claim to modify other skills, and has no system-level persistence declared. It will read and write local project files (data/ and writing_outputs/), which is expected for a writer tool.
What to consider before installing
This skill mostly does what it says, but exercise caution before installing or running it. The SKILL.md asks you (or the agent) to 'pip install scientific-writer'—that pulls code from an external package repository without a pinned version or checksum. Before installing, verify the package source (check the linked GitHub repo, review the code, and prefer a specific version). Be aware it will read files from data/ and write outputs to writing_outputs/, and it asks you to provide your ANTHROPIC_API_KEY (required) and optionally an OPENROUTER_API_KEY (undeclared in metadata). Avoid echoing secrets into plaintext .env files in shared environments. If you can't review the package code, consider running it in a sandboxed environment (VM or container) or asking the author/maintainer for a signed release or source tarball you can inspect.Like a lobster shell, security has layers — review code before you run it.
latestvk970rzfsz1j70cdz77sbb45va981t43z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔬 Clawdis
Binspython3, pip
EnvANTHROPIC_API_KEY