Literature Report
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears aligned with its stated purpose, but users should notice that it uses an LLM API key, sends paper content to the configured LLM provider, installs Python packages, and can be scheduled to run daily.
Install only if you are comfortable running the setup script, storing an LLM API key in config.yaml, sending literature metadata to your configured LLM provider, and optionally enabling a daily scheduled job. Use a virtual environment, a trusted LLM base_url, and a dedicated API key where possible.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your LLM account/key may be used for API calls and may incur cost according to your provider.
The skill requires a user-provided LLM API key and uses it for paid/credentialed model calls. This is disclosed and central to the stated summarization function.
**LLM API Key**(必需)... **用途:** 语义理解和内容生成 ... 论文标题和摘要将发送到配置的LLM服务
Use a dedicated or limited-scope API key if possible, keep config.yaml private, and verify the configured base_url is a trusted provider.
The configured LLM provider can receive the paper metadata and any research-focus text included in prompts.
The code sends generated prompts to a user-configured LLM provider endpoint. The prompts are built from paper titles/abstracts and related report-generation instructions.
"messages": [{"role": "user", "content": prompt}] ... requests.post(f"{base_url}/chat/completions", headers=headers, json=data, timeout=60)Do not include confidential research directions unless your LLM provider and data-retention terms are acceptable.
Installation will download and install third-party Python packages into the active Python environment.
The installer pulls Python dependencies without exact version pins. This is a common, purpose-aligned setup step, but it depends on package-index provenance at install time.
pip3 install -q feedparser requests pyyaml ... pip3 install -q markdown weasyprint
Install in a virtual environment and review/pin dependencies if you need reproducible or hardened installations.
If enabled, the task may continue fetching papers and using the LLM API every day.
The skill documents a recurring daily schedule. This persistence is disclosed and matches the daily-report purpose, but it will keep running after setup.
openclaw cron add literature-report --time '0 9 * * *'
Only enable the cron job if you want ongoing automation, monitor API usage, and know how to remove or disable the schedule.