← Back to Skills Marketplace
66
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install literature-search-pro
Description
专业级多数据库学术文献搜索,支持智能去重、质量排序及自动缓存,涵盖OpenAlex、Semantic Scholar和arXiv数据。
README (SKILL.md)
⚠️ 已整合 - 请使用 search 统一入口
本技能保留用于向后兼容,功能已整合到
search统一入口技能推荐使用:
search scholar [领域] [参数]或直接使用本技能(自动转发)
Literature Search Pro(兼容层)
专业级学术文献搜索技能,整合三大数据库(OpenAlex + Semantic Scholar + arXiv)。
迁移指南
新用法:
search scholar 图神经网络 药物发现 max_papers=20
search scholar 振动台子结构试验 year=2023-2026
search scholar 结构损伤识别 深度学习 high_citation
旧用法(仍然可用):
scholar 图神经网络 药物发现 max_papers=20
支持的数据库
| 数据库 | 限额 | 特点 | 优先级 |
|---|---|---|---|
| OpenAlex | 10K/天 | 最宽松,覆盖广 | 第一 |
| Semantic Scholar | 1K/5 分钟 | 引用数据准确 | 第二 |
| arXiv | 1 次/3 秒 | 最新预印本 | 第三 |
核心功能
- ✅ 多源搜索(OpenAlex + Semantic Scholar + arXiv)
- ✅ 智能去重(DOI/arXiv ID/标题模糊匹配)
- ✅ 质量排序(按引用数自动排序)
- ✅ 自动缓存(避免重复请求)
Usage Guidance
This skill appears to implement what it claims (multi-source literature search) and does not request secrets, but there is a clear security concern: index.js builds a shell command that embeds the query string without escaping and invokes python via child_process.exec, which can allow command injection if a query includes quotes or shell metacharacters. Before installing or enabling autonomous use: (1) request the maintainer fix invocation to use a safe spawn/execFile pattern or pass arguments as an array (avoid a single shell command); (2) ensure the Python 'requests' dependency is installed in a controlled environment; (3) verify whether the s2_api_key in config.json should be used and, if so, how it will be provided (currently unused); (4) audit the rest of search.py for any outbound network endpoints beyond OpenAlex/Semantic Scholar/arXiv (the visible code appears to call only those); and (5) avoid passing untrusted input (especially from external agents) until the command-injection issue is resolved. If you cannot get these mitigations, treat the skill as risky to enable for autonomous agents.
Capability Analysis
Type: OpenClaw Skill
Name: literature-search-pro
Version: 1.0.0
The skill contains a command injection vulnerability in index.js, where the user-provided 'query' parameter is insufficiently sanitized before being passed to child_process.exec. While the core functionality in search.py (integrating OpenAlex, Semantic Scholar, and arXiv) appears benign and aligned with the stated purpose, the lack of input validation on shell-executed strings poses a significant security risk. No evidence of intentional malice or data exfiltration was found.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description match the implementation: the code queries OpenAlex, Semantic Scholar, and arXiv, implements deduplication, sorting, and caching. The presence of search.py and index.js is coherent with the stated functionality.
Instruction Scope
index.js constructs a shell command string and calls child_process.exec to run search.py, embedding the user query inside double quotes without escaping. This creates a command-injection risk if the query contains shell metacharacters or quotes. The skill writes a cache directory under its own folder (expected) and does not read arbitrary user files or environment variables, but the unsafe subprocess invocation is a serious scope/exec concern.
Install Mechanism
No install spec — instruction/code-only skill. No remote downloads or extract steps. package.json lists python/requests as peer deps (so runtime requires Python and the requests library), but nothing is installed automatically by the skill registry.
Credentials
The skill does not request environment variables or credentials. config.json contains an s2_api_key field but the visible code does not use an API key or read environment variables — this is a minor mismatch (config present but apparently unused). Otherwise requested access (writing a local cache directory under the skill folder) is proportionate.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. It writes a local cache directory inside the skill folder (normal). It does not modify other skills or global configuration.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install literature-search-pro - After installation, invoke the skill by name or use
/literature-search-pro - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Literature-search-pro functionality has been fully integrated into the unified search skill.
- This version serves as a compatibility layer; all features are now accessible via the search scholar command.
- Original scholar commands remain available for backward compatibility and are automatically forwarded.
- Supports multiple databases: OpenAlex, Semantic Scholar, and arXiv.
- Features include multi-source search, intelligent deduplication, quality ranking by citation, and automatic result caching.
Metadata
Frequently Asked Questions
What is Literature Search Pro?
专业级多数据库学术文献搜索,支持智能去重、质量排序及自动缓存,涵盖OpenAlex、Semantic Scholar和arXiv数据。 It is an AI Agent Skill for Claude Code / OpenClaw, with 66 downloads so far.
How do I install Literature Search Pro?
Run "/install literature-search-pro" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Literature Search Pro free?
Yes, Literature Search Pro is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Literature Search Pro support?
Literature Search Pro is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Literature Search Pro?
It is built and maintained by JIRBOY (@jirboy); the current version is v1.0.0.
More Skills