Agentic Paper Digest Skill
v0.3.3Fetches and summarizes recent arXiv and Hugging Face papers with Agentic Paper Digest. Use when the user wants a paper digest, a JSON feed of recent papers, or to run the arXiv/HF pipeline.
⭐ 5· 3.1k·11 current·11 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (paper digests from arXiv/Hugging Face) align with the runtime instructions and scripts. The skill legitimately needs Python, network access, and an LLM API key. However, registry metadata does not declare required env vars (OPENAI_API_KEY / LITELLM_*), and the SKILL.md explicitly requires network/git access and LLM credentials — this metadata mismatch is worth noting.
Instruction Scope
Runtime instructions require you (or the agent) to open and read config files from the downloaded repo and to source a .env file. The provided run scripts will export and source ENV_FILE (.env) automatically, which may expose any secrets in that file to the running process. The SKILL.md also instructs the agent to ask the user for LLM credentials and other configuration; that is expected for operation but increases the sensitive-surface the skill touches (local config + API keys).
Install Mechanism
There is no registry install spec, but the included bootstrap.sh downloads the GitHub repository (zip or git clone), creates/activates a virtualenv and runs pip install -r requirements.txt from that repo. This is a common pattern but carries moderate risk: arbitrary Python packages and code from the upstream repo will be installed/executed on your system. The download URL is a GitHub repo (not a shortener or unknown host), which reduces but does not eliminate risk.
Credentials
The registry lists no required env vars, yet SKILL.md and the scripts expect LLM credentials (OPENAI_API_KEY or LITELLM_API_KEY/BASE) and many optional envs. The run scripts auto-source an ENV_FILE (.env) and export its contents, which can include unrelated secrets. Requesting an LLM API key is proportional to the stated purpose, but the lack of that declaration in registry metadata and the automatic sourcing of .env are mismatched and increase exposure.
Persistence & Privilege
always is false and the skill does not demand permanent system-wide presence. The skill's scripts install into a user-controlled PROJECT_DIR and create a virtualenv there; they don't modify other skills or global agent settings. Autonomous invocation is allowed (platform default) but not exceptional here.
What to consider before installing
Before installing/running: 1) Review the upstream GitHub repository (https://github.com/matanle51/agentic_paper_digest) and inspect requirements.txt and the package code (paper_finder) so you understand what code will be installed and run. 2) Do not paste your real OPENAI_API_KEY (or other secrets) into .env until you trust the repo — consider using a restricted/test key. 3) Run the bootstrap and the service inside an isolated environment (container or dedicated VM) if possible, since pip will install third-party packages from the repo. 4) Set PROJECT_DIR to a non-sensitive, dedicated directory (not your home root) and check the contents of any auto-created .env. 5) If you require higher assurance, manually clone the repo, inspect files, and run pip install yourself rather than running bootstrap.sh blindly. If you want, I can list the exact files to inspect (requirements.txt, main package entrypoints) or help craft a safe sandbox command-line to run the bootstrap.Like a lobster shell, security has layers — review code before you run it.
latestvk975z8jyfe1r2rn9kb1emwzbcn80pdd6stablevk97eha21qd0fw9n7jjz071bk4n80jjgd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Any binpython3, python