citation-chasing-mapping Security Report — Trusted | ClawSafe

5 /100

citation-chasing-mapping

Use when identifying seminal papers in a research field, mapping research lineage and intellectual heritage

This is a legitimate citation network mapping tool that uses the Semantic Scholar API for academic research. No malicious behavior detected.

Skill Namecitation-chasing-mapping

Duration24.5s

Enginepi

✓

Safe to install

This skill is safe to use for citation analysis tasks.

Findings 1 items

Severity	Finding	Location
Low	Bash tool declared but not used Doc Mismatch SKILL.md declares 'Bash' in allowed-tools but no subprocess or shell execution is present in the code. `allowed-tools: "Read Write Bash Edit"` → Remove 'Bash' from allowed-tools or document if intended for future CLI integration	`SKILL.md:7`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	scripts/main.py:40 - urllib.request.urlopen()
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/main.py:165 - open(output_file, 'w')
Shell	`WRITE`	`NONE`	✗ Violation	No subprocess usage found in code

2 findings

🔗

Medium External URL 外部 URL

https://api.semanticscholar.org/graph/v1

scripts/main.py:40

🔗

Medium External URL 外部 URL

https://arrows.app/

scripts/main.py:564

3 files · 26.9 KB · 780 lines

Python 1f · 569L Markdown 1f · 201L JSON 1f · 10L

├─ ▾ 📁 scripts

│ └─ 🐍 main.py Python 569L · 21.4 KB

├─ 📝 SKILL.md Markdown 201L · 5.3 KB

└─ 📋 tile.json JSON 10L · 235 B

✓ Uses only standard library (urllib.request) - no external dependencies

✓ All network calls go to legitimate Semantic Scholar API (https://api.semanticscholar.org)

✓ Implements proper rate limiting to avoid API abuse

✓ No credential harvesting or environment variable access

✓ No obfuscation, base64 encoding, or suspicious patterns

✓ No sensitive file system access (~/.ssh, ~/.aws, .env)

✓ No data exfiltration or C2 communication

✓ No subprocess, reverse shell, or remote code execution

✓ Outputs only local JSON files for network visualization