Back to skill
Skillv1.0.5
ClawScan security
llm-researcher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 8, 2026, 4:21 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and single required secret (MINERU_API_KEY) are consistent with its stated purpose of fetching and converting LLM papers/projects and categorizing them; nothing indicates hidden or unrelated capabilities.
- Guidance
- This skill is internally consistent with its goal of finding and summarizing LLM papers/projects, but before installing consider: (1) you must provide MINERU_API_KEY — this sends PDF URLs to mineru.net for conversion, so review MinerU's privacy/terms and avoid sending PDF URLs that contain sensitive/confidential content; (2) ensure Python is available and that a curl executable is present on the host (the script uses curl via subprocess); (3) the skill will download content from the web, write temp files to tmp_llm_research and write a final Markdown report to an output folder (it deletes the temp folder only after successful report creation); (4) if you do not want external PDF conversion, request a downgraded workflow (the SKILL.md already documents an option to skip pdf_to_md.py). If you need higher assurance, ask the author for an option to run a local-only PDF parser or to avoid sending PDFs to third-party services.
Review Dimensions
- Purpose & Capability
- noteThe skill declares MINERU_API_KEY and uses MinerU (https://mineru.net) to convert PDFs to Markdown, which is coherent with the stated PDF-parsing purpose. Minor inconsistency: the Python script invokes curl via subprocess but the manifest did not list curl as a required binary; SKILL.md does mention Python and network access but not curl explicitly.
- Instruction Scope
- okSKILL.md limits actions to fetching from the specified sources, using browser/scraping fallbacks, running scripts/pdf_to_md.py for PDF->Markdown, aggregating results, and writing a Markdown report. The instructions do not ask to read unrelated system files or environment variables beyond MINERU_API_KEY, nor to transmit data to endpoints other than MinerU and the target webpages.
- Install Mechanism
- okNo install spec; this is instruction-only plus a small helper script. No archives or third-party downloads performed at install time. Runtime network calls to MinerU and target sites are required.
- Credentials
- okOnly MINERU_API_KEY is required and it is directly used by the included script to authenticate to a PDF-extraction API — proportionate to the stated capability. No other secrets or config paths are requested.
- Persistence & Privilege
- okalways is false; the skill does not request persistent system-level privileges or modify other skills. It writes temporary files (tmp_llm_research) and the final report to an output folder per its documented behavior.