📚
Audit History
semantic-scholar-library-feed - 2 audits
Audit version 2
Latest Low RiskApr 21, 2026, 11:02 AM
This is a legitimate research management tool for Semantic Scholar. Static findings flagged 185 potential issues, but manual evaluation confirms all are false positives. The skill uses Python CLI scripts for cookie-based API access, standard file paths (~/.auth/), and base64 encoding for decoding server-side rendered data. No malicious patterns, data exfiltration, or unauthorized credential usage detected.
6
Files scanned
1,423
Lines analyzed
9
findings
claude
Audited by
High Risk Issues (1)
False Positive: Weak Cryptographic Algorithm
Static analyzer flagged base64.b64decode as 'weak cryptographic algorithm'. Base64 is encoding, not encryption, and is used legitimately to decode SSR data from Semantic Scholar's HTML pages. This is standard API behavior.
Medium Risk Issues (2)
SKILL.md:10-113references/auth-and-cookies.md:7-77references/library.md:11-90references/research-feed.md:5-94
False Positive: Ruby/Shell Backtick Execution
Static analyzer detected 'backtick execution' in markdown documentation files (SKILL.md, references/*.md). Backticks in markdown are code fences, not shell commands. The actual Python scripts (semantic_scholar_cli.py, ss_store.py) use proper subprocess calls, not shell backticks.
scripts/semantic_scholar_cli.py:117scripts/semantic_scholar_cli.py:131scripts/semantic_scholar_cli.py:349-351references/library.md:46references/library.md:62references/library.md:87references/research-feed.md:13references/research-feed.md:53SKILL.md:79SKILL.md:88
False Positive: System Reconnaissance
Static analyzer flagged file existence checks and URL parsing as 'system reconnaissance'. These are standard CLI operations: checking if cookie store exists, parsing folder IDs from URLs, validating API responses. Legitimate tool behavior.
Low Risk Issues (2)
False Positive: Hidden File Access
Static analyzer flagged ~/.auth/ directory access as 'hidden file in home directory'. This is standard configuration directory for storing authentication tokens. No malicious intent detected.
references/auth-and-cookies.md:14-15references/auth-and-cookies.md:31references/library.md:89references/research-feed.md:93SKILL.md:24SKILL.md:64SKILL.md:81
Intentional: Temp Directory Access
Skill writes to /tmp/ for intermediate data (research feed exports, folder exports). This is intentional for data processing workflows and standard practice for CLI tools.
Risk Factors
⚙️ External commands (12)
🌐 Network access (3)
📁 Filesystem access (3)
⚡ Contains scripts (2)
Audit version 1
Medium RiskApr 21, 2026, 09:45 AM
This is a legitimate academic research tool for interacting with Semantic Scholar APIs. All static findings are false positives: Python subprocess calls use hardcoded command strings with no user injection, hardcoded URLs are all legitimate Semantic Scholar endpoints, filesystem access is to user-specific config directories, and base64 decoding is for legitimate SSR data extraction. The skill uses cookie-based authentication which is a standard pattern for accessing authenticated web APIs.
6
Files scanned
1,423
Lines analyzed
4
findings
claude
Audited by
No security issues found
Risk Factors
⚙️ External commands (141)
references/auth-and-cookies.md:7 references/auth-and-cookies.md:8 references/auth-and-cookies.md:10 references/auth-and-cookies.md:12 references/auth-and-cookies.md:14 references/auth-and-cookies.md:15 references/auth-and-cookies.md:21-23 references/auth-and-cookies.md:23-25 references/auth-and-cookies.md:25 references/auth-and-cookies.md:25-29 references/auth-and-cookies.md:29-32 references/auth-and-cookies.md:32-36 references/auth-and-cookies.md:36-39 references/auth-and-cookies.md:39-41 references/auth-and-cookies.md:41 references/auth-and-cookies.md:41-45 references/auth-and-cookies.md:45-51 references/auth-and-cookies.md:51-52 references/auth-and-cookies.md:52-54 references/auth-and-cookies.md:54 references/auth-and-cookies.md:54-64 references/auth-and-cookies.md:64 references/auth-and-cookies.md:64 references/auth-and-cookies.md:64 references/auth-and-cookies.md:64 references/auth-and-cookies.md:64-76 references/auth-and-cookies.md:76-77 references/auth-and-cookies.md:77-79 references/auth-and-cookies.md:38 references/auth-and-cookies.md:36-39 references/library.md:11 references/library.md:15 references/library.md:16 references/library.md:17 references/library.md:18 references/library.md:19 references/library.md:23 references/library.md:23 references/library.md:24 references/library.md:26 references/library.md:32 references/library.md:36-44 references/library.md:44-46 references/library.md:46-48 references/library.md:48-52 references/library.md:52-56 references/library.md:56-62 references/library.md:62-63 references/library.md:63 references/library.md:63-64 references/library.md:64 references/library.md:64-66 references/library.md:66-70 references/library.md:70 references/library.md:70-71 references/library.md:71 references/library.md:71-72 references/library.md:72-73 references/library.md:73-74 references/library.md:74-79 references/library.md:79-80 references/library.md:80-81 references/library.md:81-85 references/library.md:85-90 references/research-feed.md:5 references/research-feed.md:11 references/research-feed.md:17 references/research-feed.md:19 references/research-feed.md:27 references/research-feed.md:31 references/research-feed.md:32 references/research-feed.md:33 references/research-feed.md:35 references/research-feed.md:35 references/research-feed.md:35 references/research-feed.md:39 references/research-feed.md:41 references/research-feed.md:43 references/research-feed.md:45 references/research-feed.md:47 references/research-feed.md:47 references/research-feed.md:51 references/research-feed.md:51 references/research-feed.md:51 references/research-feed.md:53 references/research-feed.md:53 references/research-feed.md:59 references/research-feed.md:60 references/research-feed.md:60 references/research-feed.md:61 references/research-feed.md:63 references/research-feed.md:73 references/research-feed.md:74 references/research-feed.md:75 references/research-feed.md:76 references/research-feed.md:77 references/research-feed.md:78 references/research-feed.md:79 references/research-feed.md:80 references/research-feed.md:82 references/research-feed.md:82 references/research-feed.md:86 references/research-feed.md:87 references/research-feed.md:91-94 scripts/semantic_scholar_cli.py:45 scripts/semantic_scholar_cli.py:45 scripts/semantic_scholar_cli.py:258 scripts/semantic_scholar_cli.py:258 scripts/semantic_scholar_cli.py:573 scripts/ss_store.py:320 SKILL.md:10 SKILL.md:16-18 SKILL.md:18-22 SKILL.md:22-25 SKILL.md:25-27 SKILL.md:27-31 SKILL.md:31-33 SKILL.md:33-41 SKILL.md:41-42 SKILL.md:42-44 SKILL.md:44 SKILL.md:44-54 SKILL.md:54-56 SKILL.md:56-58 SKILL.md:58-60 SKILL.md:60-62 SKILL.md:62-65 SKILL.md:65-77 SKILL.md:77-82 SKILL.md:82-86 SKILL.md:86-91 SKILL.md:91-93 SKILL.md:93 SKILL.md:93-97 SKILL.md:97-99 SKILL.md:99-102 SKILL.md:102-112 SKILL.md:112 SKILL.md:112-113 SKILL.md:113 SKILL.md:113-114
🌐 Network access (10)
📁 Filesystem access (16)
references/auth-and-cookies.md:7 references/auth-and-cookies.md:8 references/auth-and-cookies.md:7 references/auth-and-cookies.md:8 references/auth-and-cookies.md:14 references/auth-and-cookies.md:15 references/auth-and-cookies.md:31 references/library.md:89 references/research-feed.md:93 SKILL.md:41 SKILL.md:42 SKILL.md:41 SKILL.md:42 SKILL.md:24 SKILL.md:64 SKILL.md:81