Discovery Engine
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears purpose-aligned for extracting public scientific paper information, with disclosed local file saving and optional GitHub submission steps users should review before using.
This skill looks reasonable for research-paper extraction. Before using the optional submission flow, review the JSON files in `~/.discovery/data/batch/`, make sure they do not contain private or unwanted content, and confirm that GitHub CLI is logged into the account you want to use.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may run local helper commands that fetch paper metadata and write extraction results.
The skill asks the agent to run local command-line tools. The commands are visible, scoped to paper discovery/extraction/submission, and fit the stated purpose.
Run `python scripts/extract.py discover` ... Save each result via `python scripts/extract.py save` ... Optionally submit results as a PR via `gh`
Use it for intended research extraction tasks and review the generated files before validating or submitting them.
If the submission step is run, your GitHub account may create a fork, push files, and open a public pull request.
The optional submission workflow uses the user's GitHub CLI identity to fork, push a branch, and create a pull request. This is disclosed and scoped, but it does use account authority.
gh repo fork pcdeni/discovery-engine --clone=false ... BRANCH="contrib/$(gh api user --jq .login)/$(date +%Y%m%d-%H%M%S)" ... git push -u origin "$BRANCH" ... gh pr create
Only run the GitHub submission step when you intentionally want to publish the batch, and confirm which GitHub account `gh` is logged into.
Extraction outputs remain on disk and may later be copied into a GitHub submission if the optional PR workflow is used.
The skill persists generated extraction JSON locally for later validation or submission. This is expected for the workflow, but users should know where generated content is stored.
The save command normalizes format issues, validates, adds metadata, and saves to `~/.discovery/data/batch/`.
Review or delete files under `~/.discovery/data/batch/` if they contain content you do not want retained or submitted.