ieee-reference-manager
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent IEEE reference-management skill; it has normal file-editing, web-checking, and optional script-running capabilities that users should review but no artifact-backed malicious behavior.
This skill appears safe for normal bibliography work. Before installing, be aware that it can edit project files, use web searches for DOI checks, and run local helper scripts if present; keep it scoped to the intended paper folder and review changes before accepting them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can inspect and modify project files and use powerful tools if invoked, so careless use could change bibliography or LaTeX files.
The tool set allows reading/searching files, editing/writing files, shell commands, web access, and Agent delegation. These capabilities are broad, but they are disclosed and mostly fit the reference-review workflow.
allowed-tools: Read, Edit, Write, Bash, Glob, Grep, WebSearch, WebFetch, Agent
Use it only in the intended paper directory, review proposed diffs, and require confirmation before any file-changing action.
If a project contains helper scripts, running them could execute whatever code is in those files.
The reference material recommends running local helper scripts or temporarily writing equivalent code. This is relevant to BibTeX analysis, but it is still local code execution.
当项目中存在这些脚本时优先直接调用;不存在时,可参考以下逻辑临时编写等效代码... python analyze_bib.py
Only run helper scripts that are part of a trusted project, and inspect scripts before execution when the source is uncertain.
Reference metadata from a draft paper may be exposed to search or DOI providers during validation.
DOI validation intentionally sends DOI, title, or author queries to external search/resolver services. This is disclosed and central to the skill, but it is still an external data flow.
逐条通过 WebSearch 或 DOI resolver 验证... 优先使用 DOI 查询,其次使用标题+作者搜索
Avoid web validation for confidential drafts unless acceptable, or ask the agent to confirm before sending titles/authors to external services.