Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Paper Impact Analyzer
v1.1.0Analyze academic paper impact using multiple data sources (arXiv, GitHub, OpenAlex, Semantic Scholar). Input an arXiv ID and get a multi-dimensional impact a...
⭐ 0· 73·0 current·0 all-time
by@haataa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation: the code fetches arXiv metadata, searches/queries GitHub, queries OpenAlex and Semantic Scholar, and synthesizes a rating. Required runtime (python) and the lack of API keys align with the declared design (keyless APIs). Duplicate files (root and skills/ copies) look like packaging redundancy but are consistent with the skill purpose.
Instruction Scope
SKILL.md instructs only to run the included Python script with arXiv IDs (no other file or env access). However, the script creates an SSL context that disables certificate verification (SSL_CTX.verify_mode = ssl.CERT_NONE and check_hostname = False) and uses an http:// arXiv endpoint. That weakens transport security for all outbound HTTPS calls made by the script (makes it susceptible to MITM on untrusted networks). This behavior is not called out in the SKILL.md.
Install Mechanism
No install spec provided (instruction-only install). The skill includes Python source but does not try to install external packages or download code at runtime. This is low-risk from an installer perspective.
Credentials
The skill requests no environment variables or credentials and uses public, keyless APIs. The set of external endpoints it contacts (arXiv, api.github.com, api.openalex.org, Semantic Scholar) is proportional to its stated purpose.
Persistence & Privilege
The skill is not always-enabled, does not request elevated persistence, and there is no evidence it modifies other skills or system-wide configurations. Running the script makes network calls but does not persist credentials or reconfigure the agent.
Assessment
This skill appears to be internally consistent with its description: it runs a Python script that queries arXiv, GitHub, OpenAlex, and Semantic Scholar and prints a Markdown impact report. Before running it, review and consider the following: 1) The script intentionally disables SSL certificate verification for outbound HTTPS requests and uses plain HTTP for the arXiv query — this exposes you to man-in-the-middle risk on untrusted networks. If you will run it on a laptop or cloud VM, either (a) modify the script to remove the SSL bypass (use the default SSL context) and use HTTPS for arXiv, or (b) run it in a network you trust. 2) The script makes multiple external network requests — expect rate limiting from GitHub and Semantic Scholar when unauthenticated; running batch jobs may hit limits. 3) The package contains duplicate files (root and skills/ copies) which is likely harmless but unusual; you may prefer to keep only one copy. 4) If you are concerned about privacy or data leakage, inspect the full script locally before execution; it does not read local environment variables or files in the visible portions, but you should verify the truncated parts if you plan to run it. 5) Run the script in an isolated environment (container or VM) if you want to limit risk. If you want, I can point out the exact lines to change to re-enable certificate verification and use HTTPS for arXiv.Like a lobster shell, security has layers — review code before you run it.
academicvk970dkjfyf3zb4f8afq1k9nzcx83krp2arxivvk970dkjfyf3zb4f8afq1k9nzcx83krp2citationvk970dkjfyf3zb4f8afq1k9nzcx83krp2latestvk9732wexvank3zt2tfwhb60yqd83pex1researchvk970dkjfyf3zb4f8afq1k9nzcx83krp2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Binspython