Back to skill
Skillv1.0.0
ClawScan security
Daily Paper Digest · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 20, 2026, 11:34 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, dependencies, and runtime instructions match its stated purpose (aggregating arXiv and HuggingFace papers) and request no unrelated credentials or privileged access.
- Guidance
- This skill is internally coherent and appears to do what it says: fetch and format papers from arXiv and HuggingFace. Before installing, consider the following: (1) origin verification — the repo/homepage field is a placeholder (https://github.com/your-username/...), so confirm the source or maintainer before deploying widely; (2) run the included test.py and first run the skill in a sandbox or isolated environment to confirm behavior and network traffic; (3) scraping HuggingFace relies on page structure and may break or be rate-limited — respect site robots and rate limits; (4) install dependencies into a virtualenv to avoid interfering with system packages; (5) if you plan to integrate with a chat app, ensure any chat webhook/credentials are provided only when necessary and stored securely (this skill does not request those by default).
Review Dimensions
- Purpose & Capability
- okName/description (daily arXiv + HuggingFace digest) align with code and dependencies: the repository contains fetchers for arXiv and HuggingFace and a main runner. Required binaries (python3, pip3) and Python packages (arxiv, requests, beautifulsoup4, feedparser) are appropriate for the stated functionality.
- Instruction Scope
- okSKILL.md instructs running main.py and editing config/sources.json. The runtime instructions only reference the skill's own config file and the two web sources. There are no instructions to read unrelated system files, environment secrets, or to transmit data to unexpected endpoints.
- Install Mechanism
- noteDependencies are standard PyPI packages listed in requirements.txt (no arbitrary binary downloads). The install spec uses 'uv' as the kind for package installation which is atypical/ambiguous in the metadata, but the requirements.txt matches the listed packages so practical installation would use pip3 install -r requirements.txt. No high-risk external download URLs or archive extraction were found.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths outside its own directory. All external network access is to public services (arXiv APIs and huggingface.co). The lack of requested secrets is proportionate to the task.
- Persistence & Privilege
- okalways is false and the skill does not request elevated system privileges or modify other skills' configurations. It is a scheduled/triggered skill with normal scope for periodic execution.