Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
paper-cluster-survey-v2-2
v2.2.0Extract structured paper records from one or more local PDFs, arXiv links, DOI links, or general paper URLs, then classify the papers and write an academic s...
⭐ 0· 100·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included scripts and SKILL.md. The scripts implement normalization, fetching/extraction, and review rendering which are the stated capabilities. Optional tooling (pdftotext, mutool, python3+pypdf) is referenced for higher-quality PDF extraction but is not required to run the scripts.
Instruction Scope
The SKILL.md confines actions to normal extraction, classification, and review drafting. Runtime scripts will (a) read local PDF paths you provide, (b) fetch HTTP/HTTPS URLs you provide (following redirects), and (c) run local PDF extraction tools if available. There is no instruction to read unrelated system files or to transmit data to third-party endpoints other than the original paper URLs. Note: because the extractor will fetch arbitrary URLs supplied by the user and follow redirects, supplying untrusted URLs can cause network access (including to internal endpoints) and return their contents into the pipeline.
Install Mechanism
No install spec is provided (instruction-only skill). The repository contains Node.js scripts (ESM) but nothing that downloads remote install artifacts or executes remote installers. This is a low-risk install surface; running the scripts requires Node.js available in the environment.
Credentials
The skill requests no environment variables, credentials, or config paths. The scripts use local filesystem access for user-supplied PDF paths and temporary directories for downloads, which is expected and proportional to the purpose.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide agent settings. It runs as transient scripts and writes temporary files when downloading PDFs; this is normal for the task.
Assessment
This skill appears coherent and implements what it claims: normalizing sources, extracting text/metadata from PDFs and paper URLs, classifying, and rendering a review. Before using it consider: (1) Provide only trusted URLs and local files — the extractor will fetch arbitrary HTTP(S) URLs and follow redirects, which can reach internal network endpoints (SSRF-like risk) and return their contents into the review pipeline. (2) High-quality PDF extraction can depend on optional local tools (pdftotext, mutool, or python3+pypdf); if those are not installed the script falls back to less-accurate methods. (3) The scripts invoke child processes and write temporary files under the OS temp directory — run them in a sandbox or environment you control if you are concerned about sensitive data. (4) No credentials are requested by the skill. If you plan to install, ensure Node.js 18+ is available and review any inputs (URLs/paths) you hand to the skill.scripts/extract-paper-records.mjs:162
Shell command execution detected (child_process).
scripts/extract-paper-records.mjs:121
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk971vabk0hmk3crvf8c868dwxx837wfe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.