by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill largely does what it says (download papers, convert, web-search, synthesize) but has a few red flags you should resolve before installing:
- Confirm which LLM provider it will use: the code calls Anthropic/Claude endpoints and has a --anthropic-key flag, but the registry only lists OPENROUTER_API_KEY. Ask the author which key the tool needs and whether OpenRouter or Anthropic will be used. Do not provide unrelated credentials.
- Review the code paths that send extracted PDF/text/web ...详细分析 ▾
⚠ 用途与能力
The skill claims to run a 6-step research pipeline (arXiv + web + LLM). Requiring SERPER_API_KEY (web search) makes sense. Requiring OPENROUTER_API_KEY could be reasonable if it uses OpenRouter as the LLM proxy, but the shipped code explicitly interacts with Anthropic/Claude endpoints (GET /v1/models, x-api-key headers, CLI flag --anthropic-key). The declared env list omits ANTHROPIC_API_KEY while the code expects an Anthropic key — this mismatch is incoherent and should be clarified. The web_fetcher module supports proxy pools and browser-fingerprinting libraries (curl_cffi, fake-useragent), which are stronger capabilities than a minimal research tool needs.
⚠ 指令范围
Runtime instructions (SKILL.md) match the stated pipeline (download PDFs, convert via markitdown, perform Serper searches, call an LLM to select and synthesize). However: (1) the SKILL.md and code reference Claude/Anthropic behavior but declared env vars don't include ANTHROPIC_API_KEY; (2) the tool fetches full web pages and sends them to remote LLM/search APIs — expected for this skill but important to note because fetched page contents (including private or paywalled snippets if URLs are provided) will be transmitted externally; (3) SKILL.md instructs installing packages and copying the script into /usr/local/bin, which writes to system locations rather than remaining instruction-only.
ℹ 安装机制
There is no formal registry install spec (instruction-only). SKILL.md contains explicit 'pip install ...' commands and 'cp scripts/owl.py /usr/local/bin' — these are manual steps that modify the system environment. The Python dependencies include markitdown, curl_cffi, BeautifulSoup, lxml and fake-useragent. Nothing is downloaded from obscure URLs, but the suggested installs create executable system-level tooling (potentially persistent) and install libraries used for stealthy scraping.
⚠ 凭证需求
Registry requires OPENROUTER_API_KEY and SERPER_API_KEY which is plausible (LLM proxy + web search). The code, CLI flags, and SKILL.md also reference ANTHROPIC_API_KEY / Claude and provide a --anthropic-key flag; yet ANTHROPIC_API_KEY is not declared as required. That mismatch is the primary disproportion — you may need to supply additional LLM credentials not listed. No other unrelated secrets are requested, but the omission reduces transparency.
ℹ 持久化与权限
The skill is not force-included (always: false) and allows normal autonomous invocation. It does not request to change other skills' configs. The SKILL.md does tell users to copy the script to /usr/local/bin (system-wide executable) which creates persistence on the host if followed, but this is a manual instruction rather than an automatic install step from the registry.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.3.02026/4/13
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install q-research
镜像加速npx clawhub@latest install q-research --registry https://cn.longxiaskill.com