Literature Report
v1.0.4自动科研文献汇报系统。每天自动检索顶级期刊最新论文,AI辅助筛选,生成双语摘要,推送到飞书。使用方法:1. 用户说"设置文献汇报"或"每天推送论文"时激活;2. 用户要求自定义研究主题时激活;3. 用户要求文献检索和推送时激活。
⭐ 0· 458·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (daily literature retrieval, AI filtering, bilingual summaries, Feishu push) align with the included scripts: RSS + PubMed fetching, AI filtering, summary generation, and Feishu push. However the published registry metadata lists no required credentials/primary credential, while SKILL.md/package.json and the code clearly require an LLM API key (stored in config.yaml). This metadata mismatch is an incoherence that could mislead users or automation.
Instruction Scope
Runtime instructions and scripts perform network operations: pulling RSS feeds, querying NCBI PubMed APIs, and sending paper titles/abstracts to the configured LLM endpoint (base_url + /chat/completions). The SKILL.md warns about this, but the code will transmit paper content to whichever base_url is configured. send_to_feishu is a placeholder that only prints by default (no real Feishu API call), but the scripts read/write config.yaml and data files. There is no instruction or code that reads unrelated local secrets or system config beyond the project's config.yaml, but sending abstracts to an external LLM is a potential data-exfiltration/privacy risk if the endpoint is untrusted.
Install Mechanism
There is no platform install spec; installation is via the included install.sh which runs pip installs for common PyPI packages (feedparser, requests, pyyaml, markdown, weasyprint). No downloads from obscure URLs or archive extraction are present. install.sh also copies config template and runs local verify_install.py. This is standard but will install packages from PyPI.
Credentials
The code and SKILL.md require an LLM API key (api.api_key in config.yaml) and optionally a Feishu user ID. The registry metadata, however, declares 'Required env vars: none' and 'Primary credential: none', which contradicts the declared MUST credential in SKILL.md/package.json and the code. Aside from the LLM API key and optional Feishu ID, no other credentials are requested. Requiring an LLM API key is proportionate to the described functionality, but the metadata mismatch is misleading and should be corrected before installation.
Persistence & Privilege
The skill does not request 'always:true' and does not modify other skills or system-wide configs. It creates/uses local project files (config.yaml, data/, logs/) which is expected. It will persist data (fetched papers and generated summaries) locally in the repository's data directory.
What to consider before installing
Before installing: (1) Be aware this will send paper titles and abstracts to whatever LLM endpoint you configure — only use a trusted provider and review their data-retention/privacy terms. (2) The skill expects an LLM API Key in config.yaml (api.api_key) even though the registry metadata omitted that — do not paste keys into public repos. (3) Review and, if needed, change base_url to a known/approved endpoint; malicious endpoints could capture your data. (4) Feishu push is implemented as a placeholder that prints the message — if you expect real push behavior, review and implement the Feishu API call and handle tokens securely. (5) Run the code in an isolated environment (or sandbox/VM) and inspect config.yaml and scripts yourself; consider creating a provider account with limited quota or using a provider that supports private/deletion guarantees. (6) If you need the registry to be accurate, ask the publisher to update the metadata to declare the required credential (LLM API Key).Like a lobster shell, security has layers — review code before you run it.
latestvk975dznpayksq4xjmtxa726ets824waw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.