ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Target Novelty Scorer

v1.0.0

Score the novelty of biological targets through literature mining and.

0· 26·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md and description state the tool retrieves literature (PubMed/PMC) and lists NCBI API key, requests, biopython, and pandas as dependencies. The shipped code (scripts/main.py) does not perform network calls; PubMedSearcher.search() returns simulated/randomized data. Declared capabilities (real literature retrieval) do not match the actual implementation (local simulation).
Instruction Scope
Runtime instructions are limited to running the packaged script and validating inputs; they do not ask the agent to read unrelated files or export secrets. However SKILL.md instructs users to provide an NCBI API key and mentions editing an in-file CONFIG block — the code does not require or use such credentials, creating a gap between instructions and actual behavior that could confuse users or cause them to expose keys unnecessarily.
Install Mechanism
No install spec — skill is instruction-only with a bundled script. That minimizes installation risk. Minor mismatch: SKILL.md lists many Python dependencies, but requirements.txt only lists dataclasses and numpy; this is an implementation/documentation inconsistency rather than a direct install risk.
!
Credentials
SKILL.md lists 'NCBI API Key' (and optional Europe PMC) as API requirements, but the registry metadata declares no required environment variables and the included script does not use any environment credentials. Asking for an API key in docs while not declaring or using it is disproportionate and could lead users to provide secrets unnecessarily if they attempted to wire them in.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always: false). It does not install services or modify other skills. Autonomous invocation is allowed by default but is not combined with broad credential access or system modifications.
What to consider before installing
This skill is functionally inconsistent: its documentation promises real PubMed/PMC retrieval and lists NCBI/API dependencies, but the included script simulates results locally and doesn't use network calls or credentials. Before installing or using it: (1) Do not provide API keys to this skill — the registry metadata does not require them and the code doesn't use them. (2) Inspect scripts/main.py fully and run python -m py_compile scripts/main.py in a safe environment to confirm behavior. (3) If you need real literature mining, ask the author or maintainer to: implement actual PubMed/E-utilities calls (or clarify it's intentionally a demo), update requirements.txt, and declare any required environment variables explicitly. (4) Treat outputs as synthetic/demo data until the code is confirmed to perform real retrieval; do not use this for sensitive research decisions without verification.

Like a lobster shell, security has layers — review code before you run it.

latestvk971s0vx1xg9rmx708svhptnpx842vnz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments