Back to skill
Skillv1.0.3
ClawScan security
HF Papers · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 9:33 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (browse/search Hugging Face Papers) aligns with its instructions and it requests no unusual installs or credentials; behavior is coherent and proportional.
- Guidance
- This skill appears coherent and low-risk: it queries the public Hugging Face Papers API and caches results under ~/.cache/hf-papers/ (15-minute/1-hour TTLs). There are no install steps, no downloads, and no credentials requested. If you are concerned about local data, you can remove that cache directory after use. Note that because this is an instruction-only skill (no code files), its runtime network behavior depends on the platform implementing the described tools — if you need stronger assurance, ask the maintainer or platform for details on the actual HTTP endpoints and caching implementation before installing.
Review Dimensions
- Purpose & Capability
- okName/description match the actions documented in SKILL.md (trending, search, details, comments). No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- okInstructions describe calling the Hugging Face Papers public API and optionally using an external arxiv-reader skill for full text. The only local I/O mentioned is caching under ~/.cache/hf-papers/ with specified TTLs; nothing instructs reading unrelated files or secrets.
- Install Mechanism
- okNo install spec or code files are present (instruction-only). This minimizes risk because nothing is downloaded or written by the skill itself during install.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. That is appropriate for a read-only public-API browsing/searching capability.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or cross-skill configuration changes. Local caching is limited to a per-user cache directory (~/.cache/hf-papers/) and TTLs are defined.