Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Arxiv
v1.0.0Search and summarize papers from ArXiv. Use when the user asks for the latest research, specific topics on ArXiv, or a daily summary of AI papers.
⭐ 0· 57·0 current·0 all-time
byClawKK@codekungfu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description match its behavior: it queries the ArXiv API and summarizes papers. However, the SKILL.md and included script rely on curl to fetch results even though the declared requirements list no required binaries. Also the SKILL.md promises automatic saving to memory (RESEARCH_LOG.md) but no required config path was declared; these mismatches are noteworthy.
Instruction Scope
The instructions require parsing XML from the API and present results (expected). They also mandate appending any discussed paper (title, authors, date, summary) to memory/RESEARCH_LOG.md unconditionally ('MANDATORY'), which causes persistent writes without explicit per-action consent. The skill also advises using web_fetch to download PDFs for deep dives (external network fetches). The combination of mandatory persistent logging and autonomous network fetches expands scope beyond a simple read-only query.
Install Mechanism
There is no install spec and only a small shell script is bundled; the script performs a curl request to export.arxiv.org. This is low-risk compared to arbitrary remote installs. No third-party package downloads or obscure URLs are used.
Credentials
The skill requests no credentials (appropriate), but it instructs the agent to write into a persistent memory file (memory/RESEARCH_LOG.md) without declaring that config path or asking for user permission. Also the script implicitly requires curl even though no binaries were declared. These omissions reduce transparency about what resources the skill uses and modifies.
Persistence & Privilege
The skill is not always-enabled and does not request special platform privileges, but it explicitly requires mandatory persistent writes to the agent's memory store for every discussed paper. If the agent invokes this skill autonomously, it may add entries to memory without explicit user confirmation. That persistent behavior is a meaningful privilege and should be made optional or gated by user consent.
What to consider before installing
This ArXiv skill is mostly coherent with its stated purpose but has two things you should consider before installing: (1) the bundled script uses curl but the skill declares no required binaries — ensure curl is present or update the skill to declare it; (2) the SKILL.md forces the skill to append every discussed paper to memory/RESEARCH_LOG.md (persistent storage) without asking the user. If you want to use it, ask the author to make saving optional or require explicit consent before writing to memory, and to declare required binaries. Also consider restricting PDF deep‑fetching (it will download external PDFs) and validate or sanitize query input. If you don't want automatic persistent logging, do not install or modify the skill to prompt before saving.Like a lobster shell, security has layers — review code before you run it.
latestvk9767yy9e2pdnmd910rf5h8mfs83h26n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.