Scientific Graphical Abstract Skill
v0.1.2Generate editable, publication-quality SVG graphical abstracts for scientific papers using AI models with customizable charts, diagrams, and data-driven visu...
⭐ 0· 485·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (generate editable SVG graphical abstracts) aligns with the included code and examples. However, the README and SKILL.md advertise integrations with Anthropic/ OpenAI/DeepSeek APIs while the skill metadata declares no required environment variables — that's a mild mismatch (API use is optional in code, but metadata doesn't document these optional creds).
Instruction Scope
SKILL.md and README instruct the agent/user to load local CSV/JSON files and optionally use AI model APIs. That scope is appropriate for the feature set, but the runtime instructions assume availability of API keys and local files while metadata omits those env declarations. The README also suggests running external install steps and placing files under ~/.claude/skills, which will write to user disk; the instructions grant broad discretion to call external APIs if keys are provided.
Install Mechanism
The registry lists no install spec, but README suggests installation from a personal GitHub repo and provides a remote install pipeline: an npx clone URL and a curl | sh command to install 'uv' (https://astral.sh/uv/install.sh). Remote install scripts and cloning unverified repos increase risk; the skill lacks an official, vetted install spec in the registry.
Credentials
The code (Config._load_api_keys) reads ANTHROPIC_API_KEY, OPENAI_API_KEY, and DEEPSEEK_API_KEY from the environment and README documents these optional vars, but the skill metadata declares no required env vars. Requesting API keys for multiple providers is understandable for multimodel support, but the metadata omission is an inconsistency and increases the chance users provide credentials without clear justification. Provide keys only if you trust the code and owner.
Persistence & Privilege
The skill does not request always:true, does not declare system-wide config paths, and README describes installing into the user's skills directory (~/.claude/skills). Nothing in the package requests elevated or persistent privileges beyond normal installation.
What to consider before installing
Key points to consider before installing:
- Verify the source repository and author (README points to a personal GitHub). Only install from a repo/account you trust.
- The README suggests running a remote installer (curl https://astral.sh/uv/install.sh | sh). Avoid piping unknown scripts to sh; review the script first or use an alternative installation method.
- The code will read ANTHROPIC_API_KEY / OPENAI_API_KEY / DEEPSEEK_API_KEY from your environment if present. The skill metadata did not declare required env vars — do not supply API keys unless you trust the code and repository. If you must provide keys, create least-privilege credentials and monitor usage.
- The included Python script appears to depend on listed requirements; consider running it in an isolated virtual environment or sandbox before granting any credentials.
- There is a minor code quality issue (math is used in several methods but not imported in the visible snippet) — this suggests limited review/testing; review the full code for other bugs or hidden network calls.
- If you want to proceed, review the full repository contents locally (search for network calls, external endpoints, and code that reads arbitrary files outside the skill folder), or ask the publisher to add clear requires.env metadata and an official install spec.Like a lobster shell, security has layers — review code before you run it.
latestvk9760g9rqhwwrb069nzfczhc0n82dpk4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.