hxxra
PassAudited by ClawScan on May 1, 2026.
Overview
This looks like a coherent research-paper assistant, but it uses external services and API keys that users should configure carefully.
Before installing, decide whether you are comfortable giving the skill OpenAI and Zotero credentials, sending selected PDFs or paper metadata to external services, and installing the listed Python packages. Use a separate workspace and virtual environment, and avoid running analysis on private documents unless the configured provider is acceptable.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the skill can use your OpenAI account for analysis and your Zotero account or group for saving research items.
The skill is designed to use Zotero and OpenAI credentials. This is consistent with saving papers and LLM analysis, but it gives the skill access to third-party services.
"zotero": { "api_key": "YOUR_ZOTERO_API_KEY", "user_id": "YOUR_ZOTERO_USER_ID", "group_id": null }, ... "llm": { "provider": "openai", "api_key": "YOUR_OPENAI_API_KEY"Use least-privilege Zotero API keys where possible, keep API keys out of shared files, and only configure credentials you intend this skill to use.
Paper queries, paper text used for analysis, or bibliographic metadata may be sent to services such as arXiv, Google Scholar tooling, OpenAI, and Zotero.
The skill intentionally sends queries and analysis/save requests to external providers. This is purpose-aligned, but users should understand that content or metadata may leave the local workspace.
The search uses crawlers for Google Scholar and arXiv APIs; download uses Python requests or arXiv API; analyze uses an LLM; report generates Markdown summaries from analysis.json files; save uses Zotero API.
Avoid analyzing private or sensitive PDFs unless you are comfortable with the configured LLM provider and Zotero destination handling that data.
Installing the dependencies may fetch whatever versions are current at install time.
The skill documents package installation commands without pinned versions or a lockfile. These dependencies are expected for the research workflow, but unpinned packages add normal supply-chain variability.
Dependencies: `pip install scholarly` ... Dependencies: `pip install pymupdf pdfplumber openai`
Install dependencies in a dedicated virtual environment and pin or review package versions if reproducibility or supply-chain control matters.