ScholarGraph-CancerFusionGenesResearch

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a coherent cancer-fusion-gene literature research workflow with expected API-key use, local commands, downloads, and report generation, but users should verify the external dependencies before running it.

Before installing, confirm that you trust the local ScholarGraph installation, use revocable API keys, and run the file download/report-generation commands only in the intended workspace.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Running the workflow can create files and download documents in the local workspace.

Why it was flagged

The skill guides the agent/user to run local CLI commands and download files into the workspace. This is purpose-aligned for literature research, but it is still command and network activity that should be run knowingly.

Skill content

~/.bun/bin/bun run cli.ts search "lung cancer fusion gene review" --limit 10 ... curl -L -o "/workspace/research/fusion/review/filename.pdf"

Recommendation

Run the commands only in the intended workspace and review download/output paths before execution.

Low

#ASI03: Identity and Privilege Abuse

What this means

The skill may consume API quota and grants access to the configured provider services.

Why it was flagged

The workflow uses provider/search API credentials. This is expected for the ScholarGraph integration, and the artifacts do not show hardcoded secrets, logging, or unrelated credential use.

Skill content

export AI_PROVIDER=minimax
export MINIMAX_API_KEY="your-api-key" ... ScholarGraph download (需配置 SERPER_API_KEY)

Recommendation

Use scoped, revocable API keys and avoid placing real secrets in shared transcripts or committed files.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Behavior depends partly on code and packages outside this skill’s reviewed files.

Why it was flagged

The skill depends on an external local ScholarGraph installation and an npm package install rather than a pinned install spec. This is coherent with the stated workflow but creates normal dependency/provenance considerations.

Skill content

cd /root/.openclaw/workspace/skills/ScholarGraph ... npm install xlsx

Recommendation

Verify the installed ScholarGraph version and install trusted, pinned package versions where possible.