sci-journal-search

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill matches its stated journal-search purpose, with minor user-awareness notes about external website queries, Python script dependencies, and optional browser automation.

This appears safe for its stated purpose. Before installing, be aware that it runs local Python scripts, contacts external journal data sites, and the optional LetPub mode uses and then closes the browser tool session.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Low

What this means

If the user chooses LetPub mode, the agent may open a web page and then close/stop the browser session after parsing it.

Why it was flagged

The skill intentionally delegates optional LetPub lookup to the agent's browser tool and instructs browser cleanup afterward. This is disclosed and purpose-aligned, but it affects the browser tool session.

Skill content

Agent 解析 JSON，调用 browser 工具打开 URL ... 查询完成后自动关闭浏览器

Recommendation

Use --letpub only when browser automation is acceptable; use the default query mode if you only need XinRui/JCR partition data.

#ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

The skill may not run unless the local Python environment has the needed modules, and users should understand that they are running included Python scripts.

Why it was flagged

The package is operated through local Python scripts, while the registry/install information does not declare required binaries or Python package dependencies. This is a dependency clarity gap.

Skill content

"scripts": { "query": "python3 scripts/query.py", "letpub": "python3 scripts/query-letpub.py" }

Recommendation

Install from a trusted source and ensure python3 and required Python modules such as requests are available before use.

#ASI07: Insecure Inter-Agent Communication

Info

What this means

Journal names or ISSNs you search for are sent to the listed external data sources.

Why it was flagged

The script sends the user-supplied journal keyword or ISSN to an external website. This is necessary for the stated lookup function and the data source is disclosed.

Skill content

BASE_URL_XR = "https://www.xr-scholar.com" ... requests.get(url, headers=headers, timeout=10)

Recommendation

Avoid entering sensitive or private search terms if you do not want them sent to xr-scholar.com or, in LetPub mode, letpub.com.cn.