Agentic Paper Digest Skill
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned for fetching and summarizing papers, but users should trust the external GitHub project before running it and should handle API keys carefully.
Install only if you trust the linked GitHub project. Review the downloaded repository and requirements, use a limited API key in a local .env file, confirm the workspace path before bootstrapping, and be careful with the stop script if another service may be using port 8000.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill will trust the current contents of the external repository and its dependencies.
The helper installs and runs code from an external GitHub repository and its requirements file, rather than using fully bundled reviewed code.
REPO_URL="https://github.com/matanle51/agentic_paper_digest" ... git clone "$REPO_URL" "$PROJECT_DIR" ... pip install -r requirements.txt
Review the GitHub repository and requirements before running bootstrap, and prefer a pinned commit or locked dependencies for repeatable installs.
The paper-digest code can use the configured LLM API key and may incur provider usage costs.
The skill expects provider API credentials for summarization, which is purpose-aligned but gives the downloaded application access to the configured LLM account.
LLM access via `OPENAI_API_KEY` or an OpenAI-compatible provider via `LITELLM_API_BASE` + `LITELLM_API_KEY`.
Use a dedicated or limited-scope API key where possible, store it in a local .env file rather than chat, and monitor provider usage.
A malicious or accidentally unsafe .env file could run commands when the wrapper starts.
The wrapper sources the .env file as shell script and then executes the downloaded Python module. This is a common local workflow, but an untrusted .env file could execute shell commands.
if [ -f "$ENV_FILE" ]; then set -a source "$ENV_FILE" set +a fi python -m paper_finder run --json "$@"
Only use .env files you created or reviewed, and avoid setting ENV_FILE to an untrusted path.
Running the stop script could interrupt an unrelated local service using port 8000.
The stop helper terminates whatever process is listening on TCP port 8000, which may be the intended API server but could also be another local service.
lsof -ti tcp:8000 | xargs kill -9 2>/dev/null || true
Before running the stop script, check that port 8000 is being used by this paper-digest API.
Old topics, settings, or stored paper data may influence future runs.
The skill persists paper data and configuration that can affect later digest results.
Data store: `data/papers.sqlite3` (under `PROJECT_DIR`). ... `config/topics.json` ... `config/settings.json`: ... Updated via `POST /api/settings`.
Review configuration files periodically and clear or back up the local data directory if you want a fresh run.