Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Target Novelty Scorer
v0.1.0Score the novelty of biological targets through literature mining and trend analysis
⭐ 0· 168·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description claim literature mining from PubMed/PMC and require an NCBI API key; the included Python script (scripts/main.py) implements a simulated PubMedSearcher that generates random data and does not perform real network calls. The SKILL.md lists additional dependencies (requests, pandas, biopython) that are not present in requirements.txt. These mismatches mean what the skill 'says' it will do is not what the shipped code actually does.
Instruction Scope
Runtime instructions are simple (run python scripts/main.py). SKILL.md implies network retrieval, API key usage, and multi-database cross-validation, but the actual script operates on simulated data and does not reference external config or unexpected system paths. The inconsistency grants the skill ambiguous scope: either it's a stub/draft (harmless) or the real networked behavior is missing from the shipped code (could be introduced later).
Install Mechanism
No install spec beyond pip install -r requirements.txt. requirements.txt is minimal (dataclasses, numpy) and there are no external downloads or archive extracts. Installation appears low-risk as provided.
Credentials
SKILL.md says an NCBI API key (and optional Europe PMC API) is required, but the skill registry metadata lists no required environment variables or primary credential. The shipped code accepts an optional api_key parameter but does not consume environment variables. This mismatch is concerning because credentials are referenced but not declared—users may be prompted to provide secrets without clear, traceable usage in the code.
Persistence & Privilege
Skill does not request persistent or elevated privileges (always: false). It does not declare config path access or system-wide modifications. No evidence of attempts to modify other skills or agent configuration.
What to consider before installing
The package is internally inconsistent: SKILL.md describes a networked PubMed/PMC crawler that needs API keys and extra libraries, but the included script uses simulated data and requirements.txt is minimal. Before installing or running: (1) inspect scripts/main.py fully to confirm whether any real network calls or subprocesses are present (the shipped code appears simulated but double-check the untruncated file), (2) treat any request for API keys as sensitive—only provide them if you verify code uses them and that calls go to official endpoints (ncbi.nlm.nih.gov or europepmc.org) over HTTPS, (3) run the skill in a sandbox or isolated environment without network access initially to observe behavior, (4) if you expect real PubMed integration, require the author to reconcile requirements.txt and SKILL.md (add explicit environment variable declarations for API keys) and to provide provenance (repository/homepage and author identity) and tests, and (5) if you cannot verify these, avoid supplying secrets or running the skill on sensitive systems. Additional information that would raise confidence: a project repo/homepage, a clear list of declared env vars for API keys, and a version of the script that demonstrably uses official APIs with HTTPS and reasonable rate/timeout handling.Like a lobster shell, security has layers — review code before you run it.
latestvk97da7j9hsx9qgx8tmgcd6j5pn82vzjx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.