Conduct iterative, hypothesis-driven deep research combining web, academic, and contradiction analysis to produce scientific Markdown reports with sourced ev...
Security Analysis
high confidenceThe skill's claims, required binaries, and requested API keys align with its stated role as a meta-research coordinator; nothing requests unrelated secrets or system-level access, though it relies on runtime installation of upstream packages which you should review before allowing.
The name and description (iterative, multi-source research producing Markdown reports) match the instructions: running other search/retrieval skills and combining their outputs. Required binaries (node, npx, curl, jq) and the two API keys (TAVILY_API_KEY, PERPLEXITY_API_KEY) are consistent with the declared upstream tools and the command examples that invoke node and bash scripts. The skill explicitly coordinates other skills rather than performing unrelated actions.
SKILL.md limits behavior to research workflow steps: question decomposition, running web/academic searches, extracting URLs, and contradiction resolution. It does instruct the agent to fetch arbitrary web pages for extraction (expected for research) and to install/invoke upstream skill scripts. It does not tell the agent to read unrelated files, sweep system state, or exfiltrate environment variables beyond the two declared keys. The explicit 'do not start synthesis without explicit scope' and the input collection requirements are appropriate controls.
The skill is instruction-only (no install spec), but SKILL.md instructs using npx to install/update upstream skills (npx -y clawhub@latest install ...). Using npx/npm to fetch and run code is a common pattern but carries moderate risk because it pulls packages from the network at runtime. The install commands point to a public registry (npm) rather than obscure URLs, which is expected, but you should review the upstream packages (deepresearchwork, tavily-search, literature-search, perplexity-deep-search) before executing installs in a production environment.
Only two API keys are required (TAVILY_API_KEY and PERPLEXITY_API_KEY), which aligns with the skill's use of Tavily and Perplexity services. No unrelated credentials, system secrets, or config paths are requested. The skill does not declare a primaryEnv even though two keys are required; that is a minor metadata gap but not a substantive red flag. Preflight checks merely verify presence/length of keys.
always is false and the skill does not request permanent or elevated agent/system privileges. It instructs installing and invoking other skills but does not instruct modifying other skills' configs or system-wide settings. Autonomous invocation (disable-model-invocation: false) is the platform default and by itself is not a problem here.
Guidance
This skill appears coherent for its stated purpose, but before installing or running it you should: (1) Confirm the TAVILY and PERPLEXITY API keys you provide are scoped/least-privilege and are revocable; (2) Review the upstream packages (deepresearchwork, tavily-search, literature-search, perplexity-deep-search) and their install scripts because the skill instructs npx to fetch and run them at install time; (3) Prefer testing installs in an isolated environment (container or VM) to avoid unintended network activity or filesystem changes; (4) Be aware the skill will fetch and extract arbitrary web pages—avoid giving it internal/private URLs or secrets to include in queries; (5) Note the literature-search upstream tool contains a quirky behavior (it prepends a prompt phrase) — this is an implementation detail but worth reviewing for any unexpected prompt engineering. If you want higher assurance, ask for the exact versions and source locations of each upstream package before running the npx installs.
Latest Release
v1.0.0
- Initial release of deep-researcher meta-skill for in-depth, iterative, hypothesis-driven research. - Coordinates deepresearchwork, tavily-search, literature-search (as Semantic Scholar mapping), and perplexity-deep-search for multi-round evidence gathering, contradiction resolution, and scientific Markdown reporting. - Enforces input scoping, quality gates, and footnoted academic-style output; handles source-contradiction and recency explicitly. - Requires TAVILY_API_KEY and PERPLEXITY_API_KEY, with local installations of all upstream skills. - Documents mapping of Semantic Scholar requests to literature-search; surfaces methodology, limitations, and arbitration logic in reports.
More by @h4gen
Published by @h4gen on ClawHub
