Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
论文阅读助手
v1.0.0论文阅读报告生成器,从PDF提取结构化内容并生成全中文阅读报告。触发关键词:/readpaper、论文阅读、论文分析、PDF分析
⭐ 0· 33·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (PDF-to-report) match the provided scripts: PDF extraction, structure extraction, and report generation. Required resources (none declared) align with an instruction-only skill that bundles Python scripts. The cache and output file paths are consistent with its purpose.
Instruction Scope
SKILL.md and EXAMPLE.md instruct the agent to extract PDFs and produce structured text for the AI to read — this matches the code. The docs mention analyzing online links and uploaded PDFs; the visible code implements local-file extraction and shows automatic library installation and local caching. There is a minor mismatch in examples (online fetching/upload handling isn't visible in the truncated code) but this is a functionality/implementation detail rather than suspicious data access. The instructions do not ask the agent to read unrelated system files or external endpoints.
Install Mechanism
There is no registry-level install spec, but the runtime code automatically installs missing Python packages (pymupdf/pdfplumber/pypdf) using pip via subprocess. This is expected for a Python PDF tool, but runtime pip installs carry inherent risk (downloading and executing code from PyPI). The installs come from typical package names (no custom URLs/shorteners) and are proportionate to the stated functionality.
Credentials
The skill declares no required environment variables or credentials and the code does not read any secrets or unrelated environment variables. It writes cache files under ~/.workbuddy and output report files to the working directory — behavior consistent with its stated purpose.
Persistence & Privilege
The skill does not request always:true, does not modify other skills' configs, and only persists its own cache under ~/.workbuddy. It can be invoked by the agent autonomously (default), which is normal for skills.
Assessment
This skill appears to do what it says: extract text from PDFs, save structured content, and let an LLM generate a Chinese report. Before installing or running it, be aware it will: 1) attempt to auto-install Python packages (pymupdf, pdfplumber, pypdf) via pip at runtime — review/approve those installs and run in a controlled Python environment if possible; 2) write cache files to ~/.workbuddy/cache/readpaper and create output files in your working directory — verify expected paths and clean up if needed; 3) avoid feeding highly sensitive PDFs unless you trust the environment, since extracted text will be saved to disk and read by the agent. If you want extra assurance, inspect the full (untruncated) scripts for any URL/network-fetching code and run the tool in an isolated environment or virtualenv.Like a lobster shell, security has layers — review code before you run it.
latestvk97f4w9enf8q2egeb4tc8gjp3s844hr7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.