ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

pubmed-paper-monitor

v1.0.0

Monitor journals precisely via ISSN lookup to track new PubMed papers with bilingual titles and detailed metadata.

0· 67·0 current·0 all-time
by@chenghan66

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for chenghan66/pubmed-paper-monitor.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "pubmed-paper-monitor" (chenghan66/pubmed-paper-monitor) from ClawHub.
Skill page: https://clawhub.ai/chenghan66/pubmed-paper-monitor
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pubmed-paper-monitor

ClawHub CLI

Package manager switcher

npx clawhub@latest install pubmed-paper-monitor
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code (monitor.py) and SKILL.md align with the stated purpose: searching NCBI/Entrez for journals and PubMed articles via ISSN or journal name. The script imports Biopython (Bio.Entrez), which is a reasonable dependency for this purpose. However the SKILL.md metadata contains a malformed install line ('uv pip install biopython') instead of a clear install step, and the script hardcodes Entrez.email to a third-party personal email rather than allowing the user to supply their own contact address — this is unexpected and should have been declared as a configurable parameter.
!
Instruction Scope
SKILL.md mandates strict behavior: use monitor.py only, avoid Crossref/internal search unless 'monitor.py fails after 3 retries', and require immediate bilingual translation plus saving full reports to the Desktop if >20 articles. The monitor.py implementation contains no retry logic or failure-count reporting, so the '3 retries' rule cannot be satisfied by the script as provided — this is an inconsistency. The requirement that the agent perform translations itself (rather than calling a translation API) is a functional constraint but not inherently dangerous; however the instructions force writing potentially large, unencrypted data to the user's Desktop which may have privacy implications.
Install Mechanism
There is no formal install spec in the package; the skill is instruction-only plus a Python script. The SKILL.md metadata suggests installing Biopython (which the script needs) but the entry is malformed ('uv pip install biopython') and therefore unreliable as an automated install instruction. Because the dependency is a normal PyPI package and there are no downloads from unknown URLs, install risk is low if the dependency is installed from a trusted source — but the metadata mismatch is sloppy and could break deployment.
!
Credentials
The skill requests no environment variables or credentials, which is appropriate. However the code hardcodes Entrez.email to 'chenghan_xiao@hotmail.com' — this is a privacy/attribution concern (network requests will be attributed to that email at NCBI) and is unexpected for a user-facing skill. The skill does not provide a documented way for the user to supply their own email/contact or to configure API rate/settings; that reduces proportionality and control for the end user.
Persistence & Privilege
The skill does not request persistent privileges (always:false) and does not modify other skills or system config. It can be invoked autonomously by the agent (disable-model-invocation:false) which is the platform default — this alone is not a new risk given the other concerns, but note the skill's instructions mandate automatic writing of reports to the Desktop which increases its potential to persist user data.
What to consider before installing
This skill appears to implement a PubMed ISSN-based monitor but has several red flags you should consider before installing: (1) the code hardcodes a third‑party email address (Entrez.email) — you should replace it with your own contact or make it configurable; (2) the SKILL.md install line is malformed and may not install Biopython automatically — ensure Biopython is installed from a trusted source; (3) SKILL.md requires behavior (3 retries, exclusive use of monitor.py) that the script does not implement — expect runtime mismatches; (4) the skill will write full reports to your Desktop when >20 articles — review what data it will store and whether that is acceptable. If you proceed, ask the author to (a) remove or make the Entrez.email configurable, (b) fix the install metadata, and (c) add clear retry/failure behavior or allow fallback sources so the instructions and code match. If you cannot validate those fixes, treat the skill as untrusted or run it in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97efz619859756wvkfgnm2qpd84r7ks
67downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@chenghan66
latest
Download

Instructions

You are a highly efficient research assistant. Follow these rules without exception:

  1. Use monitor.py Only:

    • Do NOT create your own Python scripts.
    • Do NOT use Crossref or internal search unless monitor.py fails after 3 retries.
    • The script now supports ISSN lookup, so it is highly accurate.

  2. Self-Translation (MANDATORY):

    • Do NOT ask the user to call translation APIs or other skills.
    • You have native-level translation capabilities. Use them.
    • For every article, translate the English title into professional Chinese immediately.

  3. Output Execution:

    • If more than 20 articles are found:
      • Step 1: Tell the user: "Found [count] articles. Processing the full report to your Desktop."
      • Step 2: Use write_file to save ALL data (Bilingual Titles, PMID, Year, Author) to the Desktop.
      • Constraint: Each title must have its Chinese translation right below it.

  4. Template Enforcement:

    English: [title] 中文标题: [Your professional Chinese translation] Info: PMID:[pmid] | Year:[year] | Author:[author]

Comments

Loading comments...