ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

paper-research-assistant

v1.0.0

科研论文研读与复现自动化助手。使用当用户需要:(1) 研读论文 PDF 并提取核心内容,(2) 生成结构化研读报告,(3) 查找官方代码/数据集,(4) 编写复现代码框架,(5) 设计实验方案复现论文结果

0· 315·1 current·1 all-time
byLimax@limax666
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to (1) parse PDFs, (2) generate reports, (3) find official code/datasets, and (4) scaffold reproduction code. The included scripts (parse_paper.py, generate_report.py, scaffold_code.py) implement local PDF parsing, report generation, and code scaffolding — so most claimed capabilities are present. However, SKILL.md also describes automated resource collection using GitHub/arXiv/HuggingFace APIs (step 3) but none of the provided scripts implement network/API calls to perform those searches; that capability is missing.
!
Instruction Scope
SKILL.md instructs using paths like scripts/parse_paper.py and references/report_template.md and also describes using arXiv/GitHub/HuggingFace APIs. In the package the script files and templates are at the repository root (parse_paper.py, generate_report.py, report_template.md, code_style.md), not under scripts/ or references/. The scripts themselves do not fetch arXiv or GitHub resources — they only operate on local files. This mismatch can lead to runtime failures or unexpected manual steps. Also parse_paper.py stores a 5000-character preview of the PDF text into the metadata JSON, which could include sensitive content if the PDF is private.
Install Mechanism
No install spec is provided (instruction-only style plus plain Python scripts). That is low-risk from an installation/execution-supply chain perspective — nothing is downloaded or executed automatically beyond the local scripts.
Credentials
The skill requires no environment variables, no credentials, and no config paths. SKILL.md lists optional tool dependencies (PyMuPDF/pdfplumber, arXiv/GitHub/HuggingFace APIs) but the code only uses PyMuPDF and standard libraries. No secrets are requested by the package.
Persistence & Privilege
The skill is not always-enabled and does not request elevated privileges. The scaffold script writes files into a user-specified output directory (expected behavior for code generation). There is no evidence it modifies other skills or system settings.
What to consider before installing
This package looks like a legitimate paper-reading / scaffold generator but it is sloppy and incomplete. Things to consider before installing or running: - Path mismatches: SKILL.md refers to scripts/ and references/ subfolders (e.g., scripts/parse_paper.py, references/report_template.md), but the actual files are at the repository root. Running the example commands as-written will likely fail unless you move/rename files or adjust paths. - Missing web/resource search: SKILL.md describes automated searches of arXiv, GitHub, HuggingFace, and license verification. The provided scripts do not perform network/API calls for that — the AI agent or you would need to implement those steps separately. Do not assume the skill will automatically fetch remote resources. - Data handling: parse_paper.py extracts full text and writes a 5000-character preview into the metadata JSON. If you give it private or embargoed PDFs, that content will be written to disk. Run in a safe environment and inspect outputs if privacy is a concern. - Code generation: scaffold_code.py will create files under the output directory you specify. Review generated files (e.g., requirements.txt, placeholder dataset code) before executing any generated training scripts. Requirements and placeholders may need correction (e.g., package names/versions). Recommended actions: 1. Run the scripts in an isolated environment (container/VM) the first time. 2. Fix or adapt the path references in SKILL.md or move files into the expected directories so examples work as intended. 3. If you need automatic resource discovery (GitHub/arXiv/HuggingFace), implement or verify a network-safe method and confirm any API tokens/credentials are handled securely (this skill does not request them). 4. Inspect outputs (metadata JSON, generated code) before running any generated training jobs to avoid accidental execution on sensitive data or unexpected code. Given the inconsistencies and missing functionality (not strictly malicious), treat the skill as potentially useful but immature; review and test it before trusting it with sensitive papers or running generated experiments.

Like a lobster shell, security has layers — review code before you run it.

latestvk9760a8hbxezjbzw3f00g62ktn829y9t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments