Back to skill
Skillv1.0.0
ClawScan security
Academic Research · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 19, 2026, 2:21 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (searching OpenAlex and producing literature reviews); it makes external API calls and caches results to /tmp but requests no secrets or unusual privileges.
- Guidance
- This skill is coherent with its description: it calls OpenAlex (and optionally Unpaywall) over the network to fetch paper metadata and full-text URLs, and it caches API responses under /tmp/litreview_cache/. Before installing or running, be aware that: (1) the scripts require Python and the 'requests' library (not declared in metadata) — run them in a virtualenv or environment you control; (2) network access is required and responses are written to /tmp (which could persist until system cleanup); (3) no secrets or API keys are requested by the skill. If you need stricter controls, review/modify the scripts (e.g., change cache path or MAILTO) before running.
Review Dimensions
- Purpose & Capability
- okName/description match the included Python scripts: both scripts call the OpenAlex API (and Unpaywall for PDFs) to search papers, fetch details, follow citations, and generate reviews. No unrelated credentials, binaries, or services are requested.
- Instruction Scope
- noteRuntime instructions and examples only run the included Python scripts. The scripts perform network calls to OpenAlex and Unpaywall, reconstruct abstracts from returned JSON, and optionally write an output file. They also cache API responses under /tmp/litreview_cache/ to avoid refetching. They do not read arbitrary user files, environment secrets, or system config.
- Install Mechanism
- okNo install spec is provided (instruction-only install). The package includes Python scripts that rely on the 'requests' library; the SKILL.md shows invoking them with python3. No remote downloads or archive extraction occur during install.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. The only hard-coded contact string is MAILTO (topanga@ludwitt.com) used as a polite parameter for APIs. No secrets like API keys or tokens are required.
- Persistence & Privilege
- okalways:false and no modifications to other skills or system-wide settings. The only persistence is a cache directory under /tmp written by the literature-review script; this is proportional to the stated caching behavior.