ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Literature Review

v1.0.0

Assistance with writing literature reviews by searching for academic sources via Semantic Scholar, OpenAlex, Crossref and PubMed APIs. Use when the user need...

0· 16·0 current·0 all-time
by@jirboy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (literature review via Semantic Scholar, OpenAlex, Crossref, PubMed) align with the included Python script and SKILL.md which call those APIs and perform deduplication and synthesis. However, there are packaging/metadata inconsistencies: registry metadata/version (1.0.0, owner kn7024...) differs from SKILL.md/_meta.json (version 1.2.0, owner kn70465...), and the skill lists optional env vars in SKILL.md though the registry lists 'required env vars: none'. These mismatches are not proof of maliciousness but are unexpected and should be verified with the publisher.
Instruction Scope
Runtime instructions only direct the agent to run the provided script to query the declared external APIs. The script only reads a few environment variables (SEMANTIC_SCHOLAR_API_KEY, OPENALEX_API_KEY, USER_EMAIL/CLAWDBOT_EMAIL) and does not access unrelated local files, system credentials, or arbitrary endpoints. No ambiguous 'gather whatever context you need' directives are present.
Install Mechanism
No install spec is provided (instruction-only plus a script file). That is low risk compared to downloadable installers. The included Python script uses the requests library but there is no automatic package installation specified.
Credentials
The script optionally uses API keys and an email for polite API usage; these env vars are proportional to the stated purpose. It does not require high-privilege or unrelated credentials. Still, be cautious before supplying any API keys or an email—use keys with limited scope and avoid sharing secrets you need elsewhere.
Persistence & Privilege
The skill is not always-enabled (always: false), does not request to modify other skills, and does not persist new credentials or change system settings. It appears not to require elevated or persistent privileges.
What to consider before installing
This skill appears to do what it says: run a Python script to query Semantic Scholar, OpenAlex, Crossref, and PubMed. Before installing or running it: (1) verify the publisher/owner and resolve the version/ownerId mismatch between the registry and the included _meta.json/SKILL.md; (2) inspect the included scripts locally (they are short and readable) to be comfortable with network calls; (3) if you provide API keys or an email, prefer throwaway or rate-limited keys and avoid reusing high-privilege credentials; (4) run the script in an isolated environment (container or VM) if you have any doubt; (5) if you need higher assurance, ask the publisher to explain the metadata/version mismatch or provide a signed release.

Like a lobster shell, security has layers — review code before you run it.

latestvk971rjt919am22ww07rbr20gw185092g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments