Deep Research Pro v5.0.1

What to check before installing or running: - Input handling: The PDF extractor will download any URL you pass to it. Treat this as a network-capable program: do not pass untrusted or internal network URLs (SSRF risk). Run the scripts in a sandboxed environment with network egress controls if possible. - Documentation mismatch: SKILL.md shows usage with '<pmid>'/PubMed, but scripts.extract-pmc.py builds a PMC URL (expects a PMC id). Confirm which identifier to pass and test on benign known PMCID values first. - Hard-coded paths: synthesize.sh calls the check script using a /root/.openclaw/... absolute path. That may fail or, if the environment mirrors that path, read files from unexpected locations. Inspect and (if needed) modify the script to use relative paths inside the research directory before running. - Review network targets: extract-pmc.py requests NCBI/PMC (expected) and extract-from-pdf.py fetches arbitrary URLs (expected for PDFs). Ensure your runtime allows only the external hosts you trust; consider disabling outbound network or restricting DNS if you are uncertain. - Sanity-check outputs: the scripts write temporary JSON to /tmp and generate reports. Review those outputs and run check-sourcing.sh manually to confirm it only accesses expected 'sources' files. - Run first in an isolated environment: because the skill performs network I/O and file reads/writes, test it inside a container or VM with limited network access and without sensitive files mounted. If you need higher assurance, ask the skill author to: (1) fix the pmid/pmcid documentation mismatch, (2) avoid hard-coded absolute paths, and (3) add explicit input validation/whitelisting for PDF URLs.