Is angusthefuzz/pmc-harvest safe?

https://github.com/openclaw/skills/tree/main/skills/angusthefuzz/pmc-harvest

91
SAFE

PMC Harvest is a well-structured, single-purpose academic research tool that wraps NCBI's public E-utilities and OAI-PMH APIs. The SKILL.md contains no prompt injection patterns, the install was clean with no unexpected network activity or filesystem writes outside the skill directory, and all honeypot canary files remained intact. The primary concerns are minor: the public httpGet export lacks a domain allowlist creating a theoretical SSRF surface, and an undisclosed lock.json dependency (academic-research-hub) is committed into the repository without documentation in SKILL.md.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 97/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

LOW httpGet exported without domain restriction -12

lib/api.js exports the httpGet function as part of its public module.exports. This function follows up to 5 HTTP redirects with no scheme or domain validation. If an agent invokes pmc.httpGet() with an attacker-controlled URL (e.g., sourced from untrusted user input or a compromised NCBI response redirecting to an internal address), it could make requests to internal network services.

LOW Undisclosed dependency in .clawhub/lock.json -10

The skill repository includes .clawhub/lock.json referencing academic-research-hub v0.1.0 installed at 1770957475341. This dependency is not mentioned in SKILL.md. While this is likely the author's own skill environment lock file committed accidentally, the provenance of academic-research-hub and whether it introduces transitive risk cannot be verified from this audit.

INFO No version history — new skill with no public track record -5

_meta.json shows history: [] and a single version 1.0.0 published at timestamp 1771094361198. There is no prior version record to assess behavioral consistency across releases.

INFO No programmatic domain allowlist for outbound HTTP -7

The NCBI API calls are hardcoded to correct domains (eutils.ncbi.nlm.nih.gov, pmc.ncbi.nlm.nih.gov), but the underlying httpGet has no enforced domain restriction. This is a defense-in-depth gap rather than an active exploit.

INFO Canary files accessed — attributable to Oathe monitoring, not skill -3

Audit records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials accessed at timestamps 1771734228 (pre-install) and 1771734247 (post-install). These symmetric bracket accesses match Oathe's own canary baseline and post-verification checks. Canary integrity monitor confirms all files are intact with no content modifications.