CC3PO arXiv Research
AdvisoryAudited by Static analysis on May 9, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can write downloaded papers to your local filesystem when you ask it to download a PDF.
The tool can create a local output directory and download a PDF file there. This is expected for a paper-download skill and is user-directed through the download command.
Path(output_dir).mkdir(parents=True, exist_ok=True) ... paper.download_pdf(dirpath=output_dir, filename=filename)
Download only to directories you trust and review requested output paths before allowing downloads.
If you provide a MongoDB connection string, the skill can use that database account for reading-list operations.
If a MongoDB URI is configured, the skill uses that credential to connect to a database. This is disclosed as optional reading-list support and is not used for unrelated services.
MONGO_URI = os.getenv('MONGODB_URI', '') ... mongo_client = MongoClient(MONGO_URI)Use a dedicated MongoDB database/user with minimal permissions, and do not set MONGODB_URI unless you want persistent paper tracking.
Your saved papers and reading statuses may be stored in the configured MongoDB database and could reveal research interests.
The skill can persist saved paper metadata and reading status in MongoDB. This matches the stated reading-list feature but creates retained user research history.
self.db.papers.update_one({"arxiv_id": paper["arxiv_id"]}, {"$set": paper}, upsert=True)Use a private database, review retention/sharing settings, and clear saved data when it is no longer needed.
Installing or running the skill may depend on package versions or artifact provenance that are not perfectly consistent across the supplied files.
Package metadata versions differ from other supplied metadata, and dependencies are lower-bound ranges rather than exact pins. The dependencies are expected for this skill, but provenance and reproducibility are less clear.
"version": "1.0.3" ... "dependencies": { "python": ">=3.8", "arxiv": ">=2.0.0" }, "optional_dependencies": { "pymongo": ">=4.0.0" }Verify the source/repository and dependency versions before installation, especially in sensitive environments.