Back to skill
Skillv1.0.3
ClawScan security
Hf Papers · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 7:18 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested credentials are coherent with its stated purpose (fetch HF Papers and translate abstracts); nothing in the package indicates unrelated or hidden behavior, though you should confirm which translation endpoint you trust before supplying keys.
- Guidance
- This skill appears to do what it says: fetch HF Papers and translate abstracts. Before installing/providing credentials: 1) Decide which translation backend you trust — DEEPLX_URL is an endpoint you must supply (it may include a token); only use endpoints you control or trust. 2) Prefer using an API key with the least privileges needed (e.g., a separate OpenAI-compatible key for this purpose), and avoid placing long-lived secrets in global shells if you can put them in a per-skill .env. 3) Review the two Python scripts (they’re small and readable) and run them in an isolated environment first if you’re unsure. 4) Note the minor metadata mismatch: the registry listing did not show required env vars but SKILL.md does — follow SKILL.md when configuring. 5) If you must keep translations private, be aware that abstracts are sent to the configured external translation service (DeepLX or your OpenAI-compatible endpoint).
Review Dimensions
- Purpose & Capability
- noteThe skill fetches HuggingFace Papers and translates abstracts; the translation-related env vars (DEEPLX_URL, OPENAI_API_KEY, OPENAI_BASE_URL, OPENAI_MODEL, TRANSLATE_BACKEND) declared in SKILL.md are appropriate for that purpose. Minor inconsistency: registry metadata earlier indicated no required env vars while SKILL.md declares them—this is a documentation/metadata mismatch to be aware of.
- Instruction Scope
- okRuntime instructions and the scripts stick to the stated task: fetching HF pages, parsing paper metadata, translating abstracts via DeepLX or an OpenAI-compatible API, generating a markdown report, and saving it under reports/. They only read a local .env and standard translation-related environment variables; they do not attempt to read unrelated system files or exfiltrate arbitrary data.
- Install Mechanism
- okNo install spec is provided (instruction-only install), and the only runtime dependency is python-dotenv (pip). Code is included as plain Python scripts. No downloads from arbitrary URLs or archive extraction are used by the skill itself.
- Credentials
- okRequested environment variables are directly related to the translation backends. OPENAI_API_KEY and DEEPLX_URL are sensitive (contain credentials/tokens) but their use is explained and expected. The skill does not request unrelated secrets or multiple unrelated service credentials.
- Persistence & Privilege
- okSkill does not request elevated or persistent platform privileges (always: false). It writes output reports into a local reports/ folder under the skill directory (documented) and does not modify other skills or system-wide agent settings.