ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

XY PubMed PDF Downloader

v1.0.0

Download PDFs from PubMed Central (PMC) and Europe PMC. Use when the user needs to download open-access academic papers from PubMed Central using PMC ID, Pub...

0· 728·1 current·1 all-time
by@xuyuan0805
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (download open-access PDFs from PMC/Europe PMC) matches the included script and SKILL.md. The script implements PMC/PMID/DOI parsing, calls NCBI idconv endpoints and Europe PMC PDF rendering, and writes PDF files to a local output directory — all expected for this purpose.
Instruction Scope
SKILL.md only instructs running the bundled Python script and installing the requests library. The script only reads the provided identifier list or CLI argument and writes downloaded PDFs to a user-specified directory. It does not read unrelated system files, environment variables, or send data to unknown third parties.
Install Mechanism
There is no install spec; this is instruction-only plus a small Python script. The only third-party dependency is the widely used 'requests' library (documented in SKILL.md). No downloads from obscure URLs or archive extraction are present.
Credentials
The skill requests no environment variables, secrets, or credentials. That matches its functionality: it uses public NCBI/Europe PMC APIs and does not need auth. No disproportionate credential access is requested.
Persistence & Privilege
always is false and the skill does not modify other skills or system-wide settings. It runs as a simple CLI script and stores files only in a user-specified (or default) downloads directory.
Assessment
This skill appears to do exactly what it says: convert identifiers and download open-access PDFs from NCBI/EUROPE PMC. Before running, inspect the script (already included), run it in a controlled environment, and install only the documented dependency (pip install requests). Respect publisher terms and server load — the script includes a 1s delay for batch mode but avoid very large automated downloads. Because it performs network requests to public NCBI/europepmc endpoints and writes files locally, ensure you are comfortable with that and do not pass private identifiers or credentials (none are required).

Like a lobster shell, security has layers — review code before you run it.

latestvk97f25znzvn4rh9kecdxxdw9x981v51b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments