Back to skill
Skillv1.0.0
ClawScan security
XY PubMed PDF Downloader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 2:48 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are internally consistent: it only contacts NCBI/europepmc to convert IDs and fetch open-access PDFs and does not request unrelated credentials or perform suspicious I/O.
- Guidance
- This skill appears to do exactly what it says: convert identifiers and download open-access PDFs from NCBI/EUROPE PMC. Before running, inspect the script (already included), run it in a controlled environment, and install only the documented dependency (pip install requests). Respect publisher terms and server load — the script includes a 1s delay for batch mode but avoid very large automated downloads. Because it performs network requests to public NCBI/europepmc endpoints and writes files locally, ensure you are comfortable with that and do not pass private identifiers or credentials (none are required).
Review Dimensions
- Purpose & Capability
- okThe name/description (download open-access PDFs from PMC/Europe PMC) matches the included script and SKILL.md. The script implements PMC/PMID/DOI parsing, calls NCBI idconv endpoints and Europe PMC PDF rendering, and writes PDF files to a local output directory — all expected for this purpose.
- Instruction Scope
- okSKILL.md only instructs running the bundled Python script and installing the requests library. The script only reads the provided identifier list or CLI argument and writes downloaded PDFs to a user-specified directory. It does not read unrelated system files, environment variables, or send data to unknown third parties.
- Install Mechanism
- okThere is no install spec; this is instruction-only plus a small Python script. The only third-party dependency is the widely used 'requests' library (documented in SKILL.md). No downloads from obscure URLs or archive extraction are present.
- Credentials
- okThe skill requests no environment variables, secrets, or credentials. That matches its functionality: it uses public NCBI/Europe PMC APIs and does not need auth. No disproportionate credential access is requested.
- Persistence & Privilege
- okalways is false and the skill does not modify other skills or system-wide settings. It runs as a simple CLI script and stores files only in a user-specified (or default) downloads directory.