Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
paper-view
v1.0.2PaperView API — generate ECharts visualizations, AI scientific diagrams, and word clouds from data, text, or PDF papers. Use when the user wants to create ch...
⭐ 0· 82·0 current·0 all-time
byyangcheng@yyccr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes ECharts visualizations, AI scientific diagrams, and word clouds and provides API endpoints that align with that purpose. However, the top-level registry metadata provided with the skill lists no required environment variables or homepage, while SKILL.md declares a required PAPERVIEW_API_TOKEN and includes a homepage and repository — this metadata mismatch is unexpected.
Instruction Scope
Instructions are focused on calling https://api.ipaperview.com endpoints and streaming results (SSE). They require sending data samples and optionally full PDF URLs to the remote API. The instructions do not ask the agent to read arbitrary local system files or credentials, but they do permit transmitting user-provided documents and text to an external service, which may include sensitive content.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be written to disk or installed by the skill itself — lower install risk.
Credentials
SKILL.md requires a PAPERVIEW_API_TOKEN (format pv_live_<hex>) to authenticate requests, which is appropriate for a remote API but is not reflected in the registry metadata shown earlier. The missing declaration in the registry is an incoherence that could confuse users. The token appears to be a long-lived bearer token — granting it to the skill (or entering it in chat) would allow the service to act as your account and may expose any account-level data or quota.
Persistence & Privilege
The skill does not request always:true, does not include install hooks or requests to modify other skills or system-wide settings. Autonomous invocation is allowed (default) but that is normal for skills.
What to consider before installing
This skill appears to do what it says (generate charts/diagrams) but there are a few red flags to consider before installing:
- The SKILL.md requires a PAPERVIEW_API_TOKEN but the registry metadata you were shown did not list any required env; confirm the registry entry matches the runtime instructions.
- The skill will transmit data and PDFs to api.ipaperview.com. Do not send sensitive or confidential documents unless you trust the service and have reviewed its privacy/security policies.
- The token format (pv_live_...) suggests a bearer credential that could be used to consume your quota or access account resources. Consider creating a dedicated/test account or token with limited rights before sharing it.
- Verify the SKILL.md repository and homepage (SKILL.md lists https://www.ipaperview.com and a GitHub repo) and inspect the project or contact the author if anything is unclear.
- Check quota, pricing, and rate limits to avoid unexpected charges or data loss.
If the registry metadata is simply out-of-date, that explains the mismatch; if not, ask the publisher why the required credential was omitted from the registry record. Proceed cautiously and avoid entering real production credentials until you are confident in the service.Like a lobster shell, security has layers — review code before you run it.
latestvk975y20g5hee6dsmt6prbt4pk1839mke
License
MIT-0
Free to use, modify, and redistribute. No attribution required.