ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

paper-parser-skill

v0.1.4

CLI tool to search, download, and parse academic papers from arXiv into AI-friendly Markdown using MinerU API.

0· 64·0 current·0 all-time
by@kaihangyang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's declared purpose (search/download/parse arXiv papers using MinerU) aligns with the instructions: it requires a MinerU API token and a local workspace. However, the registry metadata shown earlier lists no required environment variables or primary credential while the SKILL.md explicitly requires MINERU_API_TOKEN in the config file — this metadata mismatch is an incoherence that should be resolved.
Instruction Scope
Runtime instructions are scoped to searching arXiv, downloading PDFs to a local workspace, and uploading PDFs/metadata to MinerU for parsing. The SKILL.md explicitly warns about external processing and recommends not uploading sensitive documents. It does not instruct reading other unrelated system files or credentials.
Install Mechanism
There is no platform-level install spec (instruction-only). The SKILL.md tells users to pip install the package from PyPI, which is a standard but non-trivial install action (third-party code executed locally). This is expected for a CLI Python tool but carries the usual risks of executing third-party packages — the doc recommends using a virtualenv/container.
!
Credentials
The runtime requires a MinerU API token (MINERU_API_TOKEN) stored in ~/.paper-parser/config.yaml; that credential is appropriate for the stated parsing functionality. The concern is the mismatch between registry metadata (which lists no required env vars/credentials) and the SKILL.md (which lists the token as required). That inconsistency can mislead users about what secrets will be needed and stored. Also note the token grants external upload/processing rights—store a revocable, minimal-scope token and avoid uploading sensitive documents.
Persistence & Privilege
The skill is user-invocable and not forced-always. It requests a per-skill config file in the user's home directory and stores downloaded PDFs in a workspace; it does not request system-wide privileges or to modify other skills. No signs of elevated persistent platform privilege are present.
What to consider before installing
This tool will download PDFs locally and upload them to the MinerU service for parsing — only provide a MinerU token if you trust that service and avoid uploading confidential/unpublished material. Before installing: (1) Inspect the GitHub repo and PyPI package contents to confirm behavior; (2) Note the metadata mismatch: the registry omitted the required MINERU_API_TOKEN even though SKILL.md requires it—ask the publisher to correct metadata if you rely on registry info; (3) Use a dedicated, revocable token with minimal scope; store it securely in ~/.paper-parser/config.yaml and limit file permissions; (4) Install inside a virtualenv or container to limit blast radius from third-party code; (5) If you need offline parsing or cannot share PDFs, seek local alternatives. If you want higher assurance, request the actual package source and hashes or run the package in an isolated environment and audit network activity on first run.

Like a lobster shell, security has layers — review code before you run it.

latestvk979c6k69kcf7tsndj16e23nz584x7h1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Config~/.paper-parser/config.yaml

Comments