ClawHub
Back to skill
v1.0.0

Data Source Verification

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:18 AM.

Analysis

This looks like a benign research-data workflow, but it will create local provenance files and download papers when used.

GuidanceThis skill appears appropriate for organizing and auditing research data provenance. Before installing or using it, make sure you run it only in the intended project folder, review downloaded PDFs and generated CITATION.md files, and verify the package source if provenance matters for your workflow.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Create the folder: `Citation_Sources/.../`; Download the original PDF; Create CITATION.md from the template

The skill asks the agent to create project files and download papers. This is disclosed and purpose-aligned, but users should be aware it can modify the local project workspace and fetch external documents.

User impactUsing the skill may add folders, PDFs, and provenance files to a project and may download papers from external sources.
RecommendationUse it in the intended project directory, review generated files, and approve or verify PDF downloads from trusted sources.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown

The registry does not provide a verified source for the package. Because this is instruction-only and has no code or install script, this is a provenance note rather than a behavioral concern.

User impactUsers have less registry-level assurance about where the packaged skill came from.
RecommendationCompare the installed SKILL.md with the stated homepage or a trusted copy before relying on it for important research workflows.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityInfoConfidenceHighStatusNote
SKILL.md
Every cited paper gets a CITATION.md file... Data used: [exact values extracted, with table/figure reference]

The skill stores persistent provenance records that may be reused during later audits or exports. This is central to the skill's purpose, but incorrect or manually edited records could influence future dataset decisions.

User impactIf provenance notes are wrong, stale, or edited by mistake, later verification reports may repeat those errors.
RecommendationTreat CITATION.md files as reviewable project records, keep them under version control if possible, and cross-check important values against the original PDFs.