ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Paper Workflow

v0.1.0

Turn existing project assets into a submission-ready academic paper. Use when the task involves CFP alignment, evidence scoping, abstract selection, outline...

0· 207·0 current·0 all-time
byZhaofeng@lzfxxx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (turn project assets into a paper) match the actual behavior: orchestration of drafting, figure planning, and reviewer gates. No unrelated binaries, env vars, or config paths are requested.
Instruction Scope
SKILL.md is instruction-only and stays on-topic (inventory assets, produce abstracts/outlines, call companion skills). It explicitly instructs the agent to read project assets (code, docs, logs, screenshots) — which is expected for this task but does mean the agent will access local project files. It also tells the agent to fetch and follow remote SKILL.md files for companion skills.
Install Mechanism
This skill has no install spec itself (low risk). However it instructs the agent/user to curl skill definitions from lobehub and to install a companion via npx (npm/GitHub). Those steps involve fetching and running external content/packages and are standard for skill composition but introduce supply-chain risk — review the fetched SKILL.md and packages before running.
Credentials
The skill requests no environment variables, credentials, or config paths. Companion skills might require credentials, but this skill itself does not ask for secrets or unrelated access.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request force-inclusion or system-wide modifications. Autonomous invocation is allowed by default on the platform but is not an additional red flag here.
Assessment
This orchestration skill itself is coherent and does not request secrets or system-wide access. Before installing or running it, review the companion skills it instructs you to fetch (the lobehub curl targets and the npx package) because those are external content sources and could execute arbitrary instructions. Consider: 1) inspect the remote SKILL.md files and companion skill repos before running npx or curl pipelines; 2) run installs in a sandboxed environment if possible; 3) be prepared that the agent will read your project files (code, logs, screenshots) — only run it on project data you are comfortable sharing with installed skills; and 4) verify any companion skill that requests credentials or network access before providing secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk978hfe1h06b7r4nn9gypa27cx82swn7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments