Code Pluginsource linked
Paper Searchv2026.4.9
OpenClaw paper search plugin for academic literature
Community code plugin. Review compatibility and verification before install.openclaw plugins install clawhub:paper-searchLatest release: v2026.4.9Download zip
Capabilities
- Tags
- configSchema
- Yes
- Executes code
- Yes
- HTTP routes
- 0
- Runtime ID
- paper-search
Compatibility
- Built With Open Claw Version
- 2026.4.5
- Min Gateway Version
- 2026.3.24-beta.2
- Plugin Api Range
- >=2026.3.24-beta.2
- Plugin Sdk Version
- 2026.3.24-beta.2
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description indicate a multi-source 'paper search' (semantic, arxiv, pubmed). The plugin code implements only Semantic Scholar calls; there are no arXiv or PubMed integrations in index.ts. The plugin manifest (openclaw.plugin.json) exposes defaultSources including arxiv and pubmed which the code does not honor. A large ccf-data.json file is included but not referenced by the provided code, increasing size/surface without clear purpose.
Instruction Scope
Runtime code limits external communication to api.semanticscholar.org and uses an optional plugin-configured API key; it does not read environment variables or arbitrary files. However, the declared SKILL.md content appears to be package.json metadata rather than human-readable runtime instructions, which is unexpected and could confuse reviewers or operators.
Install Mechanism
There is no install spec that downloads remote artifacts; package.json lists a single small dependency (@sinclair/typebox). No external or obscure URLs are fetched during install. The absence of an installer means nothing arbitrary is pulled in during installation by the skill bundle itself.
Credentials
The plugin requests no environment variables or credentials by default. It exposes an optional semanticScholarApiKey in its config schema (reasonable and proportional to the stated purpose). There are no other sensitive-looking env var or credential requests.
Persistence & Privilege
The plugin is marked enabledByDefault: true in openclaw.plugin.json, so it will be active unless the user disables it. always is false and the skill does not request elevated platform privileges. Still, enabled-by-default increases the chance it will be invoked automatically — consider disabling until you verify behavior.
What to consider before installing
This plugin appears to implement Semantic Scholar searches and asks only for an optional Semantic Scholar API key (reasonable). However, there are a few inconsistencies that suggest sloppy packaging rather than clear malicious intent: (1) the manifest advertises support for arXiv and PubMed but the code only calls Semantic Scholar, (2) a large ccf-data.json file is bundled but not referenced in the code, and (3) the SKILL.md content is package metadata rather than readable runtime instructions. Recommended actions before installing or enabling: 1) If you require arXiv/PubMed support, ask the author for clarification or a version that implements those sources. 2) If you plan to provide a semanticScholarApiKey, prefer storing it in the plugin config rather than pasting it into chat; confirm how the platform stores plugin config secrets. 3) Because the plugin is enabled by default, consider disabling it until you test a few queries and inspect network calls (they should go only to api.semanticscholar.org). 4) If you need higher assurance, review the index.ts code yourself or request the author to remove unused large data files and fix the SKILL.md to include human-facing instructions. My confidence is medium because the issues look like packaging oversights rather than clear malicious behavior, but these inconsistencies should be resolved first.Verification
- Tier
- source linked
- Scope
- artifact only
- Summary
- Validated package structure and linked the release to source metadata.
- Commit
- 5a817e3d5d29
- Tag
- main
- Provenance
- No
- Scan status
- pending
Tags
- beta
- 2026.4.1-beta.1
- latest
- 2026.4.9