Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Patent Claim Mapper
v1.0.0Use when mapping patent claims to products, analyzing patent infringement, or preparing freedom-to-operate analyses. Compares patent claims against product f...
⭐ 0· 34·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (map patent claims to product features for biotech/pharma) is consistent with the included code structure (parsing claims, extracting features, comparing). Nothing in the package requests unrelated credentials or system access. However, SKILL.md examples and code refer to different module/class names (e.g., examples reference scripts/claim_mapper.py and ClaimMapper, while the code defines PatentClaimMapper in scripts/main.py), indicating sloppy packaging and mismatches between documentation and code.
Instruction Scope
SKILL.md instructs users to 'Edit the in-file CONFIG block' and shows imports/CLI examples that reference non-existent names/paths (scripts/claim_mapper.py, ClaimMapper). The actual script is truncated at runtime (ends with 'mapper = Pate...'), so following the SKILL.md 'Audit-Ready Commands' will likely fail. The instructions also claim packaged entry point is scripts/main.py but examples and Quick Start use different filenames — this divergence is likely to cause execution errors or accidental misuse.
Install Mechanism
No install spec (instruction-only install) — low installation risk. The repository includes a requirements.txt with 'dataclasses' which is unnecessary for Python 3.10+ (the SKILL.md requires Python 3.10+), suggesting poor maintenance but not a direct supply-chain concern. No downloads, URLs, or external installers are present.
Credentials
The skill requests no environment variables, no credentials, and no config paths. There are no signs of network calls or exfiltration in the visible code. This matches the expected scope (local text-file analysis).
Persistence & Privilege
No special persistence flags or 'always: true' are set. The skill does not request autonomous elevated privileges or modify other skills. Default agent invocation behavior applies and is appropriate for this type of tool.
What to consider before installing
Do not run this skill against real or sensitive IP yet. The package has clear inconsistencies and an incomplete main script that will likely crash. Recommended steps before installing or using:
1. Obtain the complete scripts/main.py (file is truncated) and verify it compiles: run python -m py_compile scripts/main.py in a safe sandbox.
2. Reconcile filenames and entry points: update SKILL.md examples, CLI usage, and Quick Start so they match the actual module/class names (e.g., ClaimMapper vs PatentClaimMapper, scripts/claim_mapper.py vs scripts/main.py).
3. Audit the full source for any network I/O or hidden endpoints after getting the complete file (none visible now, but the file is incomplete).
4. Remove or justify the 'dataclasses' dependency in requirements.txt (unnecessary for Python 3.10+).
5. Run unit tests or smoke tests with non-confidential sample inputs to verify behavior and outputs (check that keyword extraction and similarity logic are fit for biotech/pharma language).
6. If you must analyze real confidential product or patent text, run the tool in an isolated environment (offline VM) until the codebase is fixed and reviewed.
If you want, provide the complete scripts/main.py and any missing files so I can re-evaluate and give a higher-confidence verdict.Like a lobster shell, security has layers — review code before you run it.
latestvk97bd1fp01pxtt1z41q0vpd2ps83ws4r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.