ClawHub

Bohrium Scholar Search & Profile

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Bohrium scholar lookup skill that uses a disclosed API key and sends scholar search queries to Bohrium as expected.

Install only if you are comfortable storing a Bohrium AccessKey in OpenClaw config and sending scholar lookup terms and selected scholar IDs to Bohrium. Avoid using highly sensitive or confidential personal data in queries, and protect the AccessKey from logs or shared shell history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill clearly documents outbound requests to an external service using an API key, but it does not explicitly warn that user-supplied scholar names, affiliations, tags, and selected scholar identifiers will be transmitted to Bohrium. In a search/profile skill this transmission is expected, but the missing disclosure creates a privacy and transparency issue, especially if users may submit sensitive researcher-identifying queries.

External Transmission

Medium
Category
Data Exfiltration
Content
### Basic Search

```python
r = requests.post(f"{BASE}/scholar/search", headers=HEADERS_JSON, json={
    "name": "Yann LeCun",
    "page": 1,
    "pageSize": 5
Confidence
87% confidence
Finding
requests.post(f"{BASE}/scholar/search", headers=HEADERS_JSON, json=

External Transmission

Medium
Category
Data Exfiltration
Content
### Search with Filters

```python
r = requests.post(f"{BASE}/scholar/search", headers=HEADERS_JSON, json={
    "name": "Zhang San",
    "school": "Tsinghua University",
    "affiliation": "Tsinghua University",
Confidence
89% confidence
Finding
requests.post(f"{BASE}/scholar/search", headers=HEADERS_JSON, json=

External Transmission

Medium
Category
Data Exfiltration
Content
---

## curl Examples

```bash
AK="$ACCESS_KEY"
Confidence
80% confidence
Finding
curl Examples ```bash AK="$ACCESS_KEY" BASE="https://open.bohrium.com/openapi/v1/paper-server" # Step 1: Scholar search curl -s -X POST "$BASE/scholar/search" \ -H "accessKey: $AK" \ -H "Content

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal