Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Google Scholar API
v1.0.0通过 SerpAPI 实现 Google Scholar 学术论文检索和下载。使用场景包括:1) 通过关键词搜索学术论文,2) 获取论文详细信息(标题、作者、摘要、年份、引用次数),3) 下载可用的 PDF 文件,4) 批量检索相关文献,5) 按年份、引用数等条件筛选论文。需要 SerpAPI 密钥(可从 ser...
⭐ 0· 75·0 current·0 all-time
byMaiiNor@rutianze
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill legitimately uses SerpAPI and downloads PDFs (which matches the name/description). However the registry metadata lists no required environment variables or primary credential while the SKILL.md and code require SERP_API_KEY; that's an incoherence — the skill needs an API key but the manifest doesn't declare it.
Instruction Scope
Runtime instructions and examples are focused on search and downloading PDFs (expected). But the docs include insecure debug advice that prints the SERP_API_KEY (logging a secret) and INSTALL.md recommends writing a backup file containing the API key (~/.scholar_api_backup.sh). Also INSTALL.md references running a 'test_skill.py' that is not present in the file manifest — another inconsistency.
Install Mechanism
No install spec is provided (instruction-only with shipped scripts). Dependencies are standard Python packages (google-search-results, requests) and there are no suspicious remote downloads or archive extraction. Risk from install mechanism itself is low.
Credentials
The skill requires a SerpAPI key (the code raises if SERP_API_KEY is missing) but the registry incorrectly lists no required env vars/primary credential. Additionally, examples and install docs suggest storing the key in environment or writing it to a file, which increases risk of accidental exfiltration or leakage.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It will create local caches, download directories, and may write a backup file if user follows instructions — normal for this type of tool, but these file writes are persistent and can contain secrets if user follows the backup advice.
What to consider before installing
This skill appears to implement what it claims (SerpAPI-based Google Scholar search and PDF download), but the package metadata omitted the required SERP_API_KEY declaration and the docs include insecure practices. Before installing: 1) Treat SERP_API_KEY as a secret — do not print it in logs or store it in plaintext files; remove or avoid the debug line that prints the key and do not run the INSTALL.md backup command that writes the key to ~/.scholar_api_backup.sh. 2) Confirm you trust the skill source (homepage unknown). 3) Rotate the API key if you accidentally exposed it while testing. 4) Consider editing the skill to require SERP_API_KEY in its manifest, remove debug printing of secrets, and avoid recommending backing up keys to disk. 5) Note that PDF downloads will fetch content from arbitrary hosts (arXiv, publishers) — review download behavior if you need to restrict network access or sandbox execution. Finally, the INSTALL.md references a missing test_skill.py file — ask the provider for clarification or inspect the code before running.Like a lobster shell, security has layers — review code before you run it.
latestvk97asvrptymj6bz7c0ykwxh32d83tsjk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.