paper claw
ReviewAudited by ClawScan on May 10, 2026.
Overview
The paper digest purpose is understandable, but the provided artifact runs missing/unreviewed helper code from a parent directory and writes configuration outside the clearly supplied files.
Before installing or running this skill, ask for a complete package that includes the referenced scripts, config files, and workflow, or inspect the GitHub source yourself. Do not provide real SMTP or LLM API credentials until you know exactly what scripts/main.py does and where the skill will write files.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the main paper-fetching action may execute code that was not included in this review, potentially using your email or LLM credentials.
The helper executes a Python script located under a parent-derived path, but scripts/main.py is not included in the provided manifest. Invoking the fetch function could therefore run unreviewed or unintended code outside the supplied artifact.
SKILL_ROOT = Path(__file__).resolve().parents[1] cmd = ["python", str(SKILL_ROOT / "scripts" / "main.py")] result = subprocess.run(cmd, capture_output=True, text=True, cwd=SKILL_ROOT)
Only run this after confirming the exact scripts/main.py source is included, reviewed, and located inside the intended skill directory.
The visible package may not be enough to know what code will actually run or what scheduled job would do.
The documentation references runtime scripts, workflow files, and config files that are not present in the supplied file manifest, and there is no install spec explaining how those files are obtained.
python scripts/main.py Already configured in `.github/workflows/daily_digest.yml` See `config/arxiv_categories.json`
Require a complete packaged artifact or a pinned, reviewable install source before installing or scheduling the skill.
Applying presets or configuring recipients could modify files outside the expected skill folder.
In the provided top-level layout, the code derives its working root from the parent of the skill file and writes configuration there. This is broader than a clearly scoped write under the supplied skill directory.
SKILL_ROOT = Path(__file__).resolve().parents[1] config_path = SKILL_ROOT / "config" / "recipients.json" config_path.write_text(json.dumps(config, indent=2, ensure_ascii=False), encoding="utf-8")
Change file writes to a clearly contained skill-owned directory and show the user the target path before modifying configuration.
The skill can send email through the configured SMTP account and may call external AI providers if keys are supplied.
The skill needs SMTP credentials for email delivery and optionally LLM provider keys for summaries. This is purpose-aligned and disclosed, with no direct evidence of credential leakage in the supplied files.
requires":{"bins":["python3"],"env":["SMTP_HOST","SMTP_PORT","SMTP_USER","SMTP_PASS"],"optional_env":["MOONSHOT_API_KEY","OPENAI_API_KEY","ANTHROPIC_API_KEY","GOOGLE_API_KEY","DEEPSEEK_API_KEY"]}Use dedicated, least-privilege credentials where possible and review the complete runtime code before providing real keys.
If scheduled, the skill may repeatedly fetch papers and send digests without a fresh manual prompt each day.
The skill documents persistent deduplication state and optional scheduled daily execution. This is disclosed and aligned with a daily digest, but users should recognize that enabling it creates recurring autonomous activity.
🔄 **State Persistence** — Auto-deduplication ### Schedule Daily Runs 0 1 * * * cd /path/to/paper_claw && python scripts/main.py
Enable scheduling only after reviewing the full runtime and confirming recipients, credentials, and output paths.