ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Astro arXiv Search

v1.0.1

Retrieve astronomy and astrophysics papers from the user's arXiv mirror API. Use when Codex needs to list papers from a given arXiv day, find papers related...

2· 218·0 current·0 all-time
byZhang Qiqian@zqqian
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (astro arXiv search) matches the instructions: all runtime steps are about calling an arXiv mirror API to list, recommend, and fetch papers. However the SKILL.md repeatedly refers to "the user's arXiv mirror API" while the provided API reference hard-codes endpoints under https://arxiv.q-cs.cn. There is no declared environment variable or configuration option to point the skill at a different/more private mirror or the official arxiv.org. That inconsistency (claimed "user's mirror" vs fixed third‑party host) is unexpected.
Instruction Scope
The runtime instructions are constrained to calling the listed HTTP endpoints and applying rules for parameters, pagination, and context size. The instructions do not ask the agent to read local files, environment variables, or unrelated credentials. They do, however, instruct the agent to prefer this API and to send user queries to it; because the endpoint is a third‑party host, that means user queries and requested paper IDs will be transmitted externally. The skill also requires repeated API usage and fallbacks but gives no mechanism to change the base URL.
Install Mechanism
This is instruction-only with no install spec and no code files, so nothing is written to disk or installed. That is the lowest-risk install model.
Credentials
The skill declares no required environment variables, credentials, or config paths — which is proportionate for a simple read-only paper lookup service. That said, there is no declared way to configure the API base URL or to supply a private mirror endpoint, which reduces user control and is surprising given the description.
Persistence & Privilege
The skill does not request elevated persistence: always is false, no install or auto-enabling behavior is present, and it does not instruct modifying other skills or system settings.
What to consider before installing
This skill's behavior is mostly consistent with an arXiv paper lookup helper, but note two things before installing: (1) the included API reference and examples point to a third‑party mirror (https://arxiv.q-cs.cn) rather than the official arXiv or a configurable user mirror. Using this skill will send user queries and requested arXiv IDs to that external host. If you care about privacy or trust, verify the operator of that domain or avoid the skill. (2) The skill advertises that it will use "the user's arXiv mirror API" but provides no env var or config to change the base URL — ask the publisher to add a configurable BASE_API_URL (and optional API key/credentials) before you rely on it. If you proceed, consider testing with non-sensitive queries and confirm the returned data matches expectations. If you need the agent to avoid sending queries to untrusted third parties, do not install or request the ability to override the API endpoint.

Like a lobster shell, security has layers — review code before you run it.

latestvk974jk2n3hwmp4xer0wbezzdgs82v49s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments