ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

figshare-skill

v0.1.0

Use whenever the user wants to interact with Figshare - searching public datasets/articles, downloading Figshare files, listing their own articles/collection...

0· 9·0 current·0 all-time
byAgents365.ai@agents365-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and included scripts align with Figshare API operations (search, download, create/update/publish, multi-part uploads). The helper scripts and SKILL.md use the Figshare v2 REST API as advertised — capability is coherent with purpose.
Instruction Scope
SKILL.md gives explicit curl/jq recipes and the scripts perform expected actions (download to disk, stat files, compute md5, chunk with dd, PUT parts). The runtime instructions correctly require explicit user confirmation before destructive actions. These instructions do read local files (for uploads) and use an auth token — which is appropriate for the described upload/account flows.
Install Mechanism
This is an instruction-only skill with bundled shell scripts; there is no network-based install or third-party package download that would introduce extra code. Installation directions are simple git clones to user skill directories.
!
Credentials
The registry metadata lists no required environment variables, but SKILL.md and all helper scripts explicitly require FIGSHARE_TOKEN (and enforce it). The skill will read and use a personal Figshare token from the environment; that credential is appropriate for the stated functionality but must be declared up front. The metadata omission is an incoherence that could lead users to supply a token without realizing the skill will use it, increasing risk of accidental credential exposure or misuse.
Persistence & Privilege
The skill is not always-enabled and uses default autonomous-invocation behavior. It does not request or attempt to modify other skills or system-wide settings. Helper scripts write downloaded files to the current/output directory as expected.
What to consider before installing
This skill appears to do what it says (Figshare search, download, upload), but the metadata omitted the single required env var FIGSHARE_TOKEN while the SKILL.md and all scripts require it. Before installing: (1) inspect the included scripts (upload.sh, new-version.sh, download.sh) — they run curl/jq, read files, and will write downloads to disk; (2) only provide a Figshare personal token with the minimum needed scope and consider using a revocable test token; (3) confirm the agent prompts you before publishing/publishing new versions (SKILL.md says to ask, but verify the agent enforces it); (4) if you maintain the registry entry, ask the author to update metadata to declare FIGSHARE_TOKEN so the requirement is explicit. If you cannot review the scripts yourself, run the skill in a sandboxed environment or refrain from supplying production credentials.

Like a lobster shell, security has layers — review code before you run it.

apivk975ytfcncn08cqv8f1zwzsyj984f30cdownloadvk975ytfcncn08cqv8f1zwzsyj984f30cfigsharevk975ytfcncn08cqv8f1zwzsyj984f30clatestvk975ytfcncn08cqv8f1zwzsyj984f30cresearch-datavk975ytfcncn08cqv8f1zwzsyj984f30cuploadvk975ytfcncn08cqv8f1zwzsyj984f30c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments