中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 22/100
Last scan:19 hr ago Rescan
22 /100
researchclaw
OpenClaw integration for AutoResearchClaw - fully autonomous research from idea to paper
ResearchClaw is a legitimate academic research automation tool with clear documentation. All shell, filesystem, and network operations are declared and necessary for the stated purpose of autonomous paper generation.
Skill Nameresearchclaw
Duration40.8s
Enginepi
Safe to install
Approve for use. The skill is well-documented and performs expected operations (git clone, pip install, API calls). Monitor for any future updates to the external GitHub repository that may introduce undeclared behavior.

Findings 2 items

Severity Finding Location
Medium
External code download without integrity verification Supply Chain
The skill clones from https://github.com/aiming-lab/AutoResearchClaw.git without verifying commit hash or release signature. This could allow a compromised version to be installed if the repository is compromised.
git clone https://github.com/aiming-lab/AutoResearchClaw.git
→ Consider pinning to a specific release tag or commit hash for reproducible builds.
 SKILL.md:89
Low
pip install without version pinning Supply Chain
The pip install -e . command installs all dependencies from setup.py without version constraints. While common, this could lead to unexpected behavior if dependencies are updated.
pip install -e .
→ Consider documenting known-working dependency versions or recommending a requirements lock file.
 SKILL.md:91
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned SKILL.md:89 - git clone, pip install; SKILL.md:109 - researchclaw run
Filesystem WRITE WRITE ✓ Aligned SKILL.md:89 - Clone to ~/AutoResearchClaw; SKILL.md:93 - config file creation; S…
Network READ READ ✓ Aligned SKILL.md:35-46 - OpenAI API calls; SKILL.md:180-185 - Literature APIs (OpenAlex,…
Environment READ READ ✓ Aligned SKILL.md:40 - Reads OPENAI_API_KEY from environment
1 findings
🔗
Medium External URL 外部 URL
https://discord.gg/u4ksqW5P
SKILL.md:231

File Tree

1 files · 6.5 KB · 237 lines
Markdown 1f · 237L
└─ 📝 SKILL.md Markdown 237L · 6.5 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
AutoResearchClaw unspecified GitHub (https://github.com/aiming-lab/AutoResearchClaw) No Cloned from external repository without version pinning

Security Positives

✓ All shell, filesystem, and network operations are explicitly declared in SKILL.md
✓ No obfuscation, base64-encoded commands, or anti-analysis techniques detected
✓ No credential harvesting beyond necessary API keys (OPENAI_API_KEY)
✓ No data exfiltration or C2 communication patterns observed
✓ Tool is designed for legitimate academic research purposes
✓ No hidden instructions in HTML comments or documentation
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
✓ Documentation is comprehensive and matches the tool's stated purpose