ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Citation Chasing Mapping

v0.1.0

Use when identifying seminal papers in a research field, mapping research lineage and intellectual heritage, discovering related work through reference track...

0· 101·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the included scripts: the code queries the Semantic Scholar API, builds a citation graph, and exports JSON outputs. However, SKILL.md examples import modules (e.g., scripts.citation_mapper, CitationNetworkMapper) and reference 'references/' docs that are not included in the bundle; some SKILL.md capabilities (interactive visualizations saved as HTML/PDF) are shown but corresponding files or dependencies are not present. This mismatch suggests the package is incomplete or the docs are out of sync with the code.
Instruction Scope
SKILL.md instructs running scripts/main.py and writing output files (network JSON, PDF/HTML). The runtime instructions do not ask for system secrets or unrelated file paths. However the SKILL.md metadata includes allowed-tools: "Read Write Bash Edit", which grants broad file and shell capabilities — potentially more privilege than strictly required for querying an external API and writing output. Also examples reference modules/functions not present, which could lead the agent or user to attempt to fetch missing code from external sources.
Install Mechanism
No install spec is provided (instruction-only plus included script). Nothing in the bundle instructs downloading code from arbitrary URLs or installing packages automatically.
Credentials
The skill declares no required environment variables, credentials, or config paths. The included code makes unauthenticated requests to the public Semantic Scholar API endpoints and does not attempt to read environment variables. Requested privileges are therefore proportionate to the stated functionality.
Persistence & Privilege
The skill is not marked always:true and has no install-time persistence. But SKILL.md's allowed-tools grants the agent the ability to read/write files and run bash; combined with missing modules in docs, this could cause the agent or user to execute shell commands to fetch additional code or install dependencies — increasing risk. No explicit changes to other skills or system-wide settings are present in the package.
What to consider before installing
This package appears to implement citation-network features and uses the public Semantic Scholar API, but the documentation and examples reference modules, guides, and visualization features that are not present in the bundle. Before installing or running: 1) Inspect scripts/main.py fully to confirm behavior (network calls only to api.semanticscholar.org, file writes limited to output files). 2) Be cautious about the SKILL.md allowed-tools setting (Read/Write/Bash/Edit) — reduce permissions if possible or run in a sandbox. 3) If you need the missing modules (scripts.citation_mapper, references/...), get them from a trusted source or contact the skill author; do not let the agent fetch arbitrary code automatically. 4) Confirm any runtime dependencies (visualization libs) and install them deliberately from known package registries. 5) Consider running the tool in an isolated environment and verify outputs before sharing sensitive data. If you want, provide the full scripts/main.py (untruncated) and any missing referenced files so I can re-evaluate with higher confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cfd3kaaaxxp553drmceb3198344k1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments