📦 ScholarGraph — 学术文献智能工具
v1.4.3一站式学术文献智能工具,支持多源论文搜索、AI辅助分析与知识图谱构建,帮助研究者快速洞察领域全貌。
1· 1.1k·11 当前·11 累计
by 安全扫描
OpenClaw
安全
medium confidenceNULL
评估建议
This skill appears coherent for academic literature tasks, but take these precautions before installing: 1) Verify the upstream source: the SKILL.md points to a GitHub repo — confirm the repo and its recent commits match the package you get. 2) Inspect package.json for postinstall or install scripts that run arbitrary commands. 3) Run installation and execution in a sandboxed environment (container or VM) the first time. 4) Only provide API keys you control and prefer minimally-scoped/read-only ...详细分析 ▾
✓ 用途与能力
Name/description match the code and modules: multi-source search, PDF download, concept extraction, analysis, and knowledge-graph building. Required binary (bun) and the AI_PROVIDER env var align with the project's LLM-driven CLI implementation. Optional API keys correspond to the many academic sources the skill integrates with.
ℹ 指令范围
Runtime instructions and code request network and filesystem access (downloading PDFs, writing a local SQLite DB, saving configs) and they send structured system prompts to LLM providers — this is expected for an LLM-based literature tool. The SKILL.md and code do include explicit system-role prompts (e.g., '只返回JSON格式'), which the repo uses to shape LLM output; that's legitimate here but is the single identified prompt-injection pattern the scanner flagged. No code in the reviewed snippets attempts to read unrelated system state (shell history, other services' credentials) or to POST collected data to unknown endpoints, but a full audit of omitted files (61 omitted) and package.json scripts is recommended.
ℹ 安装机制
Install uses bun install and a verify command (bun run cli.ts --help), which is typical for a Bun/TypeScript project. This avoids arbitrary archive downloads. However, the registry summary said 'instruction-only' while the package contains many source files and an install entry in SKILL.md — verify what the registry metadata actually installs. Check package.json for any postinstall scripts before running.
✓ 凭证需求
The skill declares AI_PROVIDER as required and lists many optional API keys (OpenAI, Semantic Scholar, NCBI, IEEE, Serper/SerpAPI, Unpaywall, etc.). Those optional variables are justified by the many external data adapters in the code. No unrelated credentials (e.g., AWS keys, SSH keys) are requested. Still: only provide keys you trust and restrict them (use read-only or scoped keys if available).
✓ 持久化与权限
The skill requests filesystem persistence (writes configs and a local SQLite DB) and stores data locally; registry flags show always:false and no special platform privileges. It does not request permanent platform-wide inclusion. This persistence is reasonable for a knowledge-graph tool.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.4.32026/2/14
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install scholargraph
镜像加速npx clawhub@latest install scholargraph --registry https://cn.longxiaskill.com