ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Arxiv Papers

v1.0.0

Find and summarize arXiv.org preprints—keyword/category search, abstracts, PDF links. Use for literature scans, paper IDs, or quick orientation (not peer-rev...

0· 47·0 current·0 all-time
by@codenova58
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (search and summarize arXiv) matches the included instructions and script: the shell script calls the arXiv API and SKILL.md describes parsing entries and optionally fetching PDFs. One minor mismatch: the package metadata declares no required binaries, but the script uses curl (so the runtime must provide curl).
Instruction Scope
SKILL.md stays on-topic: it instructs querying the arXiv API, summarizing abstracts, optionally fetching PDFs, and optionally appending entries to memory/RESEARCH_LOG.md. It does not instruct reading unrelated system files or exfiltrating data to third-party endpoints. The only persistence option is to append to a local memory file if available — this is explicit and optional.
Install Mechanism
No install spec and only a tiny, local shell script are included. There are no downloads, package installs, or external install steps — low risk.
Credentials
The skill declares no credentials or environment variables and does not request any. The optional memory write is local and optional. Nothing asks for unrelated secrets or system config.
Persistence & Privilege
always:false (default) and autonomous invocation allowed (normal). The skill suggests optionally appending notable papers to memory/RESEARCH_LOG.md — that is local persistence the agent may perform if configured. Users should be aware summaries could be stored in agent memory.
Assessment
This skill appears to do what it says: call the arXiv API and summarize results. Before installing, note two small operational points: (1) the included script uses curl but the skill metadata doesn't declare curl as required — ensure the agent runtime has curl on PATH; (2) queries are interpolated into the URL without URL-encoding (functional bug, not malicious)—beware odd characters in queries; (3) the skill can optionally append summaries to memory/RESEARCH_LOG.md, so check where your agent stores memory if you don't want persistent logs. Otherwise the code is tiny, uses only arXiv's public API, and requests no secrets or external installs.

Like a lobster shell, security has layers — review code before you run it.

latestvk971j0g167apj3gsagrwyr1ayd83qxhm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments