ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

work work

v3.3.0

Academic review writer and formatting assistant for Chinese academic papers. Use this skill when users need to format, check, and refine academic literature...

1· 129·0 current·0 all-time
by@xf280230439-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (academic review writer & formatter for Chinese papers) aligns with the provided scripts: reference formatters, citation analyzers, document format checkers, and Word-generation Node scripts. The set of files and templates is appropriate for the described functionality.
Instruction Scope
SKILL.md directs the agent/user to run local scripts on a user-provided markdown file. This is appropriate, but several scripts will modify user files (e.g., extract_and_fix_references.py, filter_references.py) and one Node script auto-opens generated documents using shell commands. These behaviors are consistent with the skill's purpose but are operations that affect local files and invoke the OS — the user should back up originals and inspect inputs before running.
Install Mechanism
No install spec is declared (instruction-only), so nothing will be downloaded automatically. The code expects standard runtimes (Python, Node) and common packages (docx, python-docx, PyYAML). That requirement is proportional to the functionality and not unexpected.
Credentials
The skill does not request environment variables, credentials, or config paths. All operations work on local files and on typical Python/Node packages; no disproportionate secrets or unrelated service access is requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. It is user-invocable and will only run when the user/agent invokes it. No files indicate modification of other skills or system-wide agent settings.
Assessment
This package appears to do what it says (format/check/generate Word docs for Chinese academic papers). Before running: 1) Back up your markdown files — some scripts (extract_and_fix_references.py, filter_references.py) modify source files in place. 2) Inspect scripts if you have low trust (they are plain Python/JS and readable). 3) Be aware Node scripts may call the OS to open generated docs (create_word_with_superscript.js uses child_process.exec to run start/open/xdg-open); avoid running on untrusted filenames or as a privileged user. 4) Install Python/Node dependencies in an isolated environment (virtualenv, npm install) rather than system-wide. 5) If you want extra safety, run the checkers (which only read files) first and avoid the modules that modify files or auto-open them.
scripts/create_word_with_superscript.js:45
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9792f108nrr02pnxjzceexeah83873fresearchvk97ejbtwvdhr3xjscr1wjcz5bh8374yv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments