Skillv1.0.0

ClawScan security

Scientific Article PDF Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 11, 2026, 9:41 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only connector to an external article-generation API and its requested items (one API key, no installs) align with its stated purpose, but it will send user-provided text and product data to a third-party service so you should confirm you trust the provider before uploading sensitive or unpublished material.
Guidance: This skill will upload whatever text and product facts you provide to an external service (paper.evoweb.ai) using the EVOWEB_API_KEY you supply. Before installing: 1) Confirm you trust the provider and review their privacy/terms (and whether hub.oto.dev is the legitimate registration flow for this API). 2) Don’t send unpublished, confidential, or regulated data unless you’re comfortable with that third party processing/storing it. 3) Use a dedicated API key with limited privileges or billing controls if possible, and monitor usage/credits. 4) Consider disabling autonomous invocation or explicitly instructing the agent before it uploads sensitive content if you want manual control over every request.

Purpose & Capability: okThe name/description (generate publication-ready PDFs with research/citations) match the runtime instructions: call paper.evoweb.ai with an API key and submit article fields. Requesting a single EVOWEB_API_KEY is proportionate to this purpose.
Instruction Scope: noteSKILL.md instructs the agent to collect article title, product facts, draft text, and optionally enable automated research, then POST that content to the external API. This is expected for the stated capability but means user content (which may include proprietary or unpublished data) will be transmitted to a third party. Also the registration link (hub.oto.dev) differs from the homepage domain (paper.evoweb.ai) — plausible but worth verifying.
Install Mechanism: okNo install spec and no code files — lowest-risk pattern. The skill is instruction-only and does not write binaries to disk or run an installer.
Credentials: okOnly one environment variable (EVOWEB_API_KEY) is required. That matches the documented Access-Token header and is proportionate. There are no unrelated secrets or config path requirements.
Persistence & Privilege: okalways is false (not force-included). disable-model-invocation is false (normal). The skill does not request persistent system-level privileges or modification of other skills' configs.