ClawHub

ArXiv Watcher

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill is purpose-aligned for searching ArXiv, with low-risk notes that it sends queries to ArXiv and automatically saves paper summaries to a local memory log.

This looks safe for its stated purpose. Before installing, be aware that your ArXiv queries are sent to ArXiv and that summaries of discussed papers are automatically saved to memory/RESEARCH_LOG.md for long-term tracking.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

Search terms and paper IDs may be visible to ArXiv when the skill is used.

Why it was flagged

The helper sends the user's search query to the ArXiv API. This is expected for an ArXiv search skill and is not hidden, but it is still an external network data flow.

Skill content
curl -sL "https://export.arxiv.org/api/query?search_query=all:$QUERY&start=0&max_results=$COUNT&sortBy=submittedDate&sortOrder=descending"
Recommendation

Use it for intended ArXiv research searches, and avoid entering sensitive unpublished topics if you do not want those queries sent to ArXiv.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

The skill may not work on systems without curl, and users should be aware of the helper dependency.

Why it was flagged

The artifact includes a helper script that depends on curl, while the registry requirements declare no required binaries. This is a small metadata/dependency mismatch rather than suspicious behavior.

Skill content
# Use curl to query ArXiv API
curl -sL
Recommendation

Confirm curl is available before use, or update the skill metadata to declare the curl dependency.

#
ASI06: Memory and Context Poisoning
Low
What this means

A local long-term log of papers you discuss may be created and retained.

Why it was flagged

The skill explicitly stores paper discussions in a persistent memory file. The scope and file path are disclosed, but the saved log may reveal research interests and can be reused later.

Skill content
**MANDATORY**: Append the title, authors, date, and summary of any paper discussed to `memory/RESEARCH_LOG.md`.
Recommendation

Review or delete memory/RESEARCH_LOG.md if it contains sensitive research interests, and consider making logging optional if privacy is important.