ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Academic Paper Summarizer

v1.0.0

Extracts key points, methods, results, conclusions, and simplifies explanations from academic paper PDFs in Chinese and English.

0· 54·1 current·1 all-time
by@eric060
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (extract key points from academic PDFs) align with the declared dependencies (pypdf, pdfplumber). However the SKILL.md shows example commands that call scripts under skills/academic-paper-summarizer/scripts/*.py, but no code files are present in the package — the claimed capability cannot be executed as-is.
!
Instruction Scope
Instructions explicitly tell the agent/user to run local Python scripts on PDF files (e.g., summarize.py, batch.py, extract.py). Those scripts would read user PDF files (expected), but they are missing from the skill bundle. That mismatch is a practical and security-relevant problem because it’s unclear what code would actually run if provided later or by a remote origin.
Install Mechanism
This is an instruction-only skill with no install spec — low risk from installers. But dependencies are listed with no guidance on how to install them; the skill assumes a Python environment already prepared, which is plausible but incomplete documentation.
Credentials
The skill declares no environment variables, no credentials, and no config paths — that is proportionate for a local PDF summarizer. There is no evidence it requests unrelated secrets or cloud credentials.
Persistence & Privilege
always is false and there is no indication it requests privileged or persistent presence. Autonomous invocation is allowed by platform default; this is expected and not by itself concerning here.
Scan Findings in Context
[NO_SCAN_FINDINGS] expected: The regex-based scanner found nothing because there are no code files (instruction-only skill). That is expected for skills that are just prose, but it means the scanner provides no coverage of the missing scripts referenced in SKILL.md.
What to consider before installing
Do not install or run this skill expecting the scripts to exist. Ask the author or publisher for the missing code, a source repository, or an explicit install method (PyPI/GitHub release) before proceeding. If you receive the scripts, review them (or have a developer review) to ensure they do not exfiltrate PDFs or upload data to external endpoints. If you must test immediately, do so in an isolated environment (container or VM) and install only the listed Python packages from official sources. Confirm how the skill handles PDFs (local-only processing vs. remote uploads) and request a checksum or signed release for any downloadable code. If the author cannot provide the missing files or a trustworthy source, treat the skill as incomplete and avoid using it with sensitive documents.

Like a lobster shell, security has layers — review code before you run it.

latestvk973h1w03rrk580jfce7ty8h0s84d538

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments