Literature Manager
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its literature-management purpose, but it can automatically use Sci-Hub, encourages persistent cron-monitored sub-agents, and has an audit-script path handling bug that could run unintended Python code.
Before installing, decide whether you are comfortable with Sci-Hub being used and require explicit opt-in if not. Do not allow cron jobs or long-running sub-agents unless you approve their scope and cleanup. Avoid auditing untrusted or oddly named directories until audit.sh is fixed to pass paths safely, and consider pinning the optional markitdown dependency.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user asking to download a paper could unintentionally download through Sci-Hub, which may violate publisher terms or copyright law in some jurisdictions.
The script automatically attempts Sci-Hub for any DOI after other sources fail. Although a legal note is present, the code does not require explicit confirmation before using this legally risky source.
# Strategy 5: Sci-Hub ... try_download "https://sci-hub.box/${DOI}" "Sci-Hub" && exit 0Disable Sci-Hub by default, require an explicit user opt-in for each use, and clearly report which source was used for every downloaded PDF.
The agent could create background monitoring or long-running work that continues after the user expected the task to end.
The skill instructs use of long-running sub-agents and cron monitoring, but the visible artifact does not define user approval, scope, expiration, or cleanup for that persistent automation.
Always use a separate sub-agent for verification ... Set a cron monitor whenever spawning long-running agents
Require explicit user approval before spawning long-running agents or cron jobs, define a bounded runtime, and include cleanup instructions.
Auditing a maliciously named or untrusted directory could execute local code under the user's account.
INDEX is derived from the user-supplied references directory and is interpolated directly into Python source code. A crafted path containing quotes and Python syntax could break out of the string and execute unintended Python during audit.
python3 -c "import json; json.load(open('$INDEX'))"Pass paths to Python via command-line arguments or environment variables instead of embedding them in a python3 -c string, and quote/escape all path values safely.
Conversion may run different package code over time depending on what uvx resolves, which can affect reproducibility and supply-chain risk.
The PDF conversion fallback runs markitdown through uvx without a pinned version. This is purpose-aligned, but it can depend on the current external package version available to uvx.
uvx markitdown[pdf] "$INPUT" > "$OUTPUT" 2>/dev/null
Pin the markitdown version or require a preinstalled, trusted converter for production or sensitive document collections.
Project notes, paper summaries, or local library structure could be shared across multiple agent contexts without clear boundaries.
The sub-agent workflow is disclosed and purpose-aligned for large batches, but the artifact does not specify data boundaries or what project context each sub-agent may access.
Download: 1 sub-agent per batch of ~5-8 papers ... Organize: 1 sub-agent to build indexes ... Verify: 1 independent sub-agent
Limit sub-agents to the minimum files and metadata needed for each batch, and get user approval before sharing private project context between agents.