Skillv1.0.0

ClawScan security

ynu-papergraphgeneration-openclaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 12, 2026, 8:06 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated purpose (PDF→diagram generation) but includes actions that warrant caution—most notably executing model-generated Python code and sending paper text plus prompts to external image/LLM APIs, with some minor mismatches between declared and used environment variables.
Guidance: Key things to consider before installing or enabling this skill: - It will call external image/LLM APIs and therefore will send prompts and (potentially large) portions of your paper text to those endpoints. Only configure API keys for services you trust and understand the provider's privacy policy. - The chart generator component accepts a model-produced Matplotlib script and writes it to disk then executes it with subprocess.run. That means arbitrary Python code produced by the LLM (or returned by an external service) can run on your machine. If you proceed, run the skill in a restricted environment (container, VM) or review generated code before execution. - image_generator disables trust of system proxy env vars (session.trust_env = False). This can bypass local proxy/audit infrastructure and change how requests leave your host — be cautious if you rely on corporate proxies or monitoring. - The skill recommends storing keys in ~/.openclaw/openclaw.json; storing API keys locally is convenient but increases persistence of secrets. Prefer using a limited-scope API key, rotate keys regularly, and avoid placing high-privilege credentials here. - The code expects an LLM callback (llm_call_fn) and mentions optional PAPER_DIAGRAM_LLM_* env vars; if you configure an LLM endpoint/keys, the skill may send prompts (scanning/merging/extraction) to that LLM. If you don't intend to share your paper content with an external LLM, do not provide those keys. - There is no automatic installer; you must manually install listed Python packages (requests, pdfminer.six, optionally PyMuPDF/pdfplumber/pypdf, Pillow/pytesseract). Ensure dependencies are installed in an isolated environment to limit impact. What would change this assessment: explicit safeguards around executing generated code (e.g., running generated scripts in a sandbox, requiring an explicit user confirmation step before execution), documented safe networking defaults (respecting proxies), or removal of subprocess execution would reduce concerns. Conversely, evidence of hidden endpoints, credential exfiltration code, or automatic persistence of secrets would raise the verdict to malicious.

Review Dimensions

Purpose & Capability: noteName/description (paper→diagram generation) align with the code and required binaries: Python and an external image-generation API (BANANA2 / acedata). The primary credential (BANANA2_API_KEY) is appropriate. One minor incoherence: many modules expect an LLM callable (llm_call_fn) and SKILL.md suggests PAPER_DIAGRAM_LLM_URL/KEY, but those LLM env vars are not declared as required — they are optional but used in prompts/fallbacks. Overall capabilities are consistent with the stated purpose.
Instruction Scope: concernRuntime instructions and code cause network calls to external image-generation APIs and may send substantial paper text and generated prompts. The chart_generator writes and executes arbitrary Python code (via subprocess.run) that originates from model-generated content — this is powerful and can run arbitrary code on the host. image_generator also disables session.trust_env (bypassing system proxy environment variables), which can change networking behavior and has privacy implications. SKILL.md recommends storing API/LLM keys in a config file (~/.openclaw/openclaw.json), which implies persistent local storage of secrets.
Install Mechanism: noteThe skill is instruction-only in registry terms (no install spec) but includes multiple Python scripts that require dependencies (requests, pdfminer.six, optional PyMuPDF/pypdf/pdfplumber, pytesseract/Pillow). Lack of a formal install step means dependencies must be installed manually; there is no remote download or unclear install URL. No high-risk external download is present in the manifest.
Credentials: noteThe required env vars (BANANA2_API_URL, BANANA2_API_KEY) are proportional to the declared image-generation functionality. The code also reads fallback vars (ACEDATA_API_KEY, PAPER_DIAGRAM_API_KEY, PAPER_DIAGRAM_LLM_URL/KEY) and SKILL.md suggests storing LLM keys — these additional credentials are optional but present in prompts and code; users should be aware the skill can use any of these if set. No unrelated cloud credentials (AWS, GCP) are requested.
Persistence & Privilege: okThe skill does not request 'always: true' and is user-invocable. It does not appear to modify other skills or system-wide agent settings programmatically. It suggests the user add credentials to ~/.openclaw/openclaw.json (a recommendation), but it does not automatically persist or escalate privileges.