Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Autonomous Research
v1.0.0Conduct comprehensive research independently. Find information, analyze sources, synthesize findings, and create detailed reports without human guidance.
⭐ 0· 1.9k·13 current·13 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (web research, source evaluation, report generation) matches the need for HTTP tooling and data processing, so requiring curl and jq is reasonable. However, requiring a single BRAVE_API_KEY (and no other search API or credentials) is unexpected and not justified in the SKILL.md. The install of an npm package (axios) for an instruction-only skill is also disproportionate to the described functionality and is not explained.
Instruction Scope
SKILL.md contains a thorough research methodology and examples and does not instruct the agent to read local files or other secrets. However, the instructions are intentionally open-ended (the skill is meant to 'conduct research independently'), which grants broad autonomy to fetch and process external data; this broad discretion should be considered when giving the skill network access or credentials. The file does not reference BRAVE_API_KEY or any concrete external endpoints, so it's unclear how that credential would be used.
Install Mechanism
The install spec declares npm + package 'axios' and lists a binary 'axios' being created. axios is normally a Node HTTP library (not a CLI binary); claiming it creates a bin is incoherent and suggests either a misconfiguration or incorrect metadata. Using npm to install packages is a moderate-risk install mechanism; here it appears unnecessary for an instruction-only skill and may attempt to write files to the environment without clear justification.
Credentials
Only one required environment variable is declared: BRAVE_API_KEY. Requiring a single, service-specific API key (Brave) without explaining why or where it will be used is disproportionate. The SKILL.md doesn't document any Brave-specific integration or how the key is used. The declaration of this credential without context is a red flag — users should not provide API keys unless they understand exactly what endpoints and scopes the skill will access.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is user-invocable with normal autonomous invocation allowed. There are no declared config paths or persistent privileges. This dimension does not raise additional concerns.
What to consider before installing
This skill is plausible for autonomous research, but several inconsistencies need clarification before you install or provide secrets. Ask the publisher (or request these changes) before proceeding: 1) Explain why BRAVE_API_KEY is required, which Brave endpoint/scopes will be called, and provide a privacy model for the data sent. Do not share your key until you know exactly how it's used. 2) Remove or correct the install spec: 'axios' is a library, not a CLI — verify whether any npm package must be globally installed and why. 3) Request source code or an authoritative homepage so you can inspect what network calls are made. 4) If you decide to test it, run in an isolated/sandbox environment and use a limited-read/test API key (not a high-privilege secret). 5) Prefer skills whose install steps use well-known release artifacts or include code files you can review. If the owner cannot justify the BRAVE_API_KEY and the odd install metadata, consider rejecting the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk974077gwxrk21h7hwemj3skyh81q01a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔍 Clawdis
Binscurl, jq, git
EnvBRAVE_API_KEY
Install
Node
Bins: axios
npm i -g axios