← Back to Skills Marketplace
Research
by
BrennerSpear
· GitHub ↗
· v1.0.0
1151
Downloads
0
Stars
9
Active Installs
1
Versions
Install in OpenClaw
/install research-agent
Description
Conduct open-ended research on a topic, building a living markdown document. Supports interactive and deep research modes.
Usage Guidance
This skill's docs expect a 'parallel-research' CLI and 'export-pdf' script plus a PARALLEL_API_KEY, but those scripts and the env var are not declared or bundled. Before installing or following SETUP.md: 1) Ask the author for the missing scripts (or a trusted release URL) and for a homepage/repo so you can review their code. 2) Do not blindly run the curl | sh installer (astral.sh) — audit that script or install uv/pymupdf via your distro/package manager instead. 3) Prefer storing API keys in a secure secret store or OS keyring rather than echoing into a plaintext file and appending 'export' into ~/.bashrc. 4) If you must symlink scripts, inspect them first and avoid system-wide /usr/local installs unless you trust the source. 5) Verify how cron payloads deliver messages and what data they include (cron jobs could leak results or identifiers to external channels). If the author provides the missing artifacts and a trustworthy source for the uv installer, the architecture is reasonable; without that, the package is inconsistent and should be treated with caution.
Capability Analysis
Type: OpenClaw Skill
Name: research-agent
Version: 1.0.0
The skill is classified as suspicious due to several risky practices and potential vulnerabilities, despite lacking clear evidence of malicious intent. Key indicators include the `SETUP.md` file using `curl -LsSf ... | sh` for installing `uv`, which introduces a supply chain risk, and the use of `export $(cat ... | xargs)` for loading API keys, which can be vulnerable if the `.env` file is untrusted. Most critically, the `OPENCLAW.md` file instructs the agent to schedule cron jobs with a `message` payload that contains direct command execution instructions (e.g., `Run: parallel-research result <run_id>`). While intended for legitimate functionality, this represents a prompt injection vulnerability that could lead to remote code execution if the `<run_id>` or other parts of the message were controllable by an attacker.
Capability Assessment
Purpose & Capability
The skill claims to run deep async research via a 'parallel-research' CLI and to export PDFs via an 'export-pdf' script. However, the package contains only docs (OPENCLAW.md, SETUP.md, SKILL.md) and no scripts or binaries. The instructions expect files under ~/.openclaw/skills/research/scripts/, but those scripts are not present—this mismatch suggests either missing artifacts or sloppy packaging.
Instruction Scope
Runtime instructions tell the agent to create files under ~/.openclaw/workspace/research and to schedule cron jobs that deliver results back to a source channel. They also instruct how to store and expose PARALLEL_API_KEY via a local .env and by appending an export to shell profile. The doc assumes an env var exists and that cron jobs can deliver messages to external channels—these behaviors are plausible for a research skill but the instructions reference environment/config that were not declared and that enable external delivery of results, which increases the risk surface.
Install Mechanism
There is no formal install spec, but SETUP.md recommends symlinking local scripts (which are absent) and running a remote installer via curl (curl -LsSf https://astral.sh/uv/install.sh | sh). Advising an unattended remote install script is high-risk. Also recommending global symlinks (/usr/local/bin) and modifying ~/.bashrc are persistent, privileged operations. The absence of included scripts plus a remote install command is a problematic combination.
Credentials
The skill metadata declares no required env vars, yet the docs repeatedly rely on PARALLEL_API_KEY being present and instruct creating ~/.secrets/parallel_ai/.env and exporting it into the shell profile. Asking users to store an API key in plain text and append it to shell startup without declaring the key in the skill manifest is disproportionate and inconsistent. The requested secret itself (Parallel AI key) is plausible for the described deep-research capability, but the handling guidance is insecure and undocumented in the manifest.
Persistence & Privilege
The skill does not request always:true and doesn't claim extra platform privileges. However, SETUP.md instructs persistent changes (symlinks into user PATH, appending exports to ~/.bashrc, creating ~/.secrets, and scheduling cron jobs). Those are normal for CLI tooling but are materially persistent and should be performed only after verifying the scripts being linked and installed.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install research-agent - After installation, invoke the skill by name or use
/research-agent - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Auto-publish from CI
Metadata
Frequently Asked Questions
What is Research?
Conduct open-ended research on a topic, building a living markdown document. Supports interactive and deep research modes. It is an AI Agent Skill for Claude Code / OpenClaw, with 1151 downloads so far.
How do I install Research?
Run "/install research-agent" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Research free?
Yes, Research is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Research support?
Research is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Research?
It is built and maintained by BrennerSpear (@brennerspear); the current version is v1.0.0.
More Skills