ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Arxiv Skill Extractor

v1.0.0

Automates the process of extracting reusable skill code from arXiv papers. Use this skill to turn paper insights into actual OpenClaw skills.

2· 881·2 current·2 all-time
byWANGJUNJIE@wanng-ide
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code creates skill scaffolds (SKILL.md, run.js, paper.json) from a paper object and writes them into a workspace 'skills' folder — this matches the 'extract skill' purpose. Minor inconsistencies: SKILL.md example requires './skills/arxiv-skill-extractor/index.js' which does not match the package layout, and the implementation expects a sibling module '../arxiv-paper-reviews/paper_client.js' that is not present in the bundle.
!
Instruction Scope
The runtime reads and writes files outside the skill directory: WORKSPACE_ROOT is set to path.resolve(__dirname, "../.."), and the code reads/writes memory/evolution/pending_skill_task.json and writes into workspace/skills/<skillName>. That expands the skill's scope into the agent's workspace and could access unrelated files. The code also relies on getPaper from a local '../arxiv-paper-reviews/paper_client.js' not included here, so actual runtime behavior depends on external code which may perform network I/O or other sensitive actions. The test script calls main() without arguments and will fail or read pending tasks unless a pending file exists.
Install Mechanism
There is no install spec and no external downloads; this is an instruction + code-only skill. Nothing is fetched from remote URLs or installed during setup.
Credentials
The skill declares no required environment variables, credentials, or config paths. However, it does read/write a workspace-level pending_skill_task.json which might contain sensitive task metadata; no explicit secrets are requested.
Persistence & Privilege
always:false and no autonomous-override flags — the skill won't be forcibly included. Still, it writes persistent files into the agent workspace (skills/, memory/evolution/pending_skill_task.json). This is reasonable for a generator tool but increases blast radius if run in a workspace that contains secrets or production configs.
What to consider before installing
Before installing or running this skill: - Inspect the workspace 'memory/evolution/pending_skill_task.json' (if present) since the skill will read it and may write back status and extracted content. - Ensure you trust or inspect the sibling module arxiv-paper-reviews/paper_client.js that index.js requires — that file is not included and determines how papers are fetched (network calls, remote endpoints, credentials). - Run the skill in a sandbox or isolated workspace first (not in a production project) to see what files it creates under workspace_root/skills and what it writes to memory/evolution. - Note the SKILL.md usage examples path mismatch and that test.js calls main() without args (it will throw unless a pending task exists); provide a paper key when invoking (node index.js <paper_key>) to avoid accidental reads. - If you plan to use this on a shared agent, verify the agent workspace does not contain secrets or sensitive configs at the paths the skill touches. Additional information that would raise confidence to 'high': the missing arxiv-paper-reviews/paper_client.js included or documented, and a clear description of expected workspace layout (what WORKSPACE_ROOT should be) or modification to restrict operations to the skill's own directory.

Like a lobster shell, security has layers — review code before you run it.

latestvk975x1jc7agbt2j2v0y837vctd817mcc
881downloads
2stars
1versions
Updated 15h ago
v1.0.0
MIT-0
WANGJUNJIE@wanng-ide
latest
Download

ArXiv Skill Extractor

This skill wraps arxiv-paper-reviews and provides an automated pipeline for:

  1. Fetching papers.
  2. Extracting key algorithms.
  3. Generating skill templates.

Usage

Extract Skill from a Paper

const { extractSkill } = require("./skills/arxiv-skill-extractor/index.js");

async function run() {
  const result = await extractSkill("4711d67c242a5ecba2751e6b");
  console.log(result);
}

run();

Automation

Run the default extraction loop (uses local_task:arxiv_skill_learning config):

# 自动读取 pending_skill_task.json 中的 paper_key
node skills/arxiv-skill-extractor/index.js

# 或直接指定 paper_key
node skills/arxiv-skill-extractor/index.js 4711d67c242a5ecba2751e6b

Why?

We need to continuously learn from new research. Manual reading is slow. This skill bridges the gap between paper knowledge and executable code.

Comments

Loading comments...