ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Literature Search Pro

v1.0.0

专业级多数据库学术文献搜索,支持智能去重、质量排序及自动缓存,涵盖OpenAlex、Semantic Scholar和arXiv数据。

0· 60·0 current·0 all-time
by@jirboy

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jirboy/literature-search-pro.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Literature Search Pro" (jirboy/literature-search-pro) from ClawHub.
Skill page: https://clawhub.ai/jirboy/literature-search-pro
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install literature-search-pro

ClawHub CLI

Package manager switcher

npx clawhub@latest install literature-search-pro
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the implementation: the code queries OpenAlex, Semantic Scholar, and arXiv, implements deduplication, sorting, and caching. The presence of search.py and index.js is coherent with the stated functionality.
!
Instruction Scope
index.js constructs a shell command string and calls child_process.exec to run search.py, embedding the user query inside double quotes without escaping. This creates a command-injection risk if the query contains shell metacharacters or quotes. The skill writes a cache directory under its own folder (expected) and does not read arbitrary user files or environment variables, but the unsafe subprocess invocation is a serious scope/exec concern.
Install Mechanism
No install spec — instruction/code-only skill. No remote downloads or extract steps. package.json lists python/requests as peer deps (so runtime requires Python and the requests library), but nothing is installed automatically by the skill registry.
Credentials
The skill does not request environment variables or credentials. config.json contains an s2_api_key field but the visible code does not use an API key or read environment variables — this is a minor mismatch (config present but apparently unused). Otherwise requested access (writing a local cache directory under the skill folder) is proportionate.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. It writes a local cache directory inside the skill folder (normal). It does not modify other skills or global configuration.
What to consider before installing
This skill appears to implement what it claims (multi-source literature search) and does not request secrets, but there is a clear security concern: index.js builds a shell command that embeds the query string without escaping and invokes python via child_process.exec, which can allow command injection if a query includes quotes or shell metacharacters. Before installing or enabling autonomous use: (1) request the maintainer fix invocation to use a safe spawn/execFile pattern or pass arguments as an array (avoid a single shell command); (2) ensure the Python 'requests' dependency is installed in a controlled environment; (3) verify whether the s2_api_key in config.json should be used and, if so, how it will be provided (currently unused); (4) audit the rest of search.py for any outbound network endpoints beyond OpenAlex/Semantic Scholar/arXiv (the visible code appears to call only those); and (5) avoid passing untrusted input (especially from external agents) until the command-injection issue is resolved. If you cannot get these mitigations, treat the skill as risky to enable for autonomous agents.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d6yf2dqqc3esp24avnxsx4n84zyvh
60downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@jirboy
latest
Download

⚠️ 已整合 - 请使用 search 统一入口

本技能保留用于向后兼容,功能已整合到 search 统一入口技能

推荐使用: search scholar [领域] [参数] 或直接使用本技能(自动转发)

Literature Search Pro(兼容层)

专业级学术文献搜索技能,整合三大数据库(OpenAlex + Semantic Scholar + arXiv)。

迁移指南

新用法:

search scholar 图神经网络 药物发现 max_papers=20
search scholar 振动台子结构试验 year=2023-2026
search scholar 结构损伤识别 深度学习 high_citation

旧用法(仍然可用):

scholar 图神经网络 药物发现 max_papers=20

支持的数据库

数据库限额特点优先级
OpenAlex10K/天最宽松,覆盖广第一
Semantic Scholar1K/5 分钟引用数据准确第二
arXiv1 次/3 秒最新预印本第三

核心功能

  • ✅ 多源搜索(OpenAlex + Semantic Scholar + arXiv)
  • ✅ 智能去重(DOI/arXiv ID/标题模糊匹配)
  • ✅ 质量排序(按引用数自动排序)
  • ✅ 自动缓存(避免重复请求)

Comments

Loading comments...