ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

arXiv Paper Reviews

v1.0.6

Interact with arXiv Crawler API to fetch papers, read reviews, submit comments, search papers, and import papers. Use when working with arXiv papers, fetchin...

0· 2.4k·9 current·9 all-time
by@zxrys
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (arXiv paper reviews) align with the code and SKILL.md: the client lists papers, shows details, posts comments, searches, and imports via an HTTP API. However the default apiBaseUrl is set to http://weakaccept.top:8000/, which is not an official arXiv endpoint and the package has no homepage or known publisher—this means network traffic (including comments and imported URLs) will go to a third-party service rather than arXiv.org.
Instruction Scope
Runtime instructions and SKILL.md keep to the stated task: install requests, create config.json, run commands that call the configured API. The instructions do not ask the agent to read unrelated local files or arbitrary environment variables. The only data sent are the expected API parameters (paper keys, comment content, arXiv URLs).
Install Mechanism
There is no platform install spec; the repository includes a small install-deps.sh that creates a local venv and installs the requests library. This is low-risk and standard for a Python CLI. No downloads from arbitrary URLs or archive extraction are present.
Credentials
The skill requests no environment variables and only uses a local config.json with optional apiKey and defaultAuthorName. These are proportionate. Important caveat: any comments or imported arXiv URLs you submit will be forwarded to the configured API server (default weakaccept.top). Do not submit sensitive data or credentials through the skill unless you trust the remote service, and consider setting apiBaseUrl to a trusted endpoint if available.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or global agent settings. Its local persistence is limited to the venv created by install-deps.sh and the config.json file it expects; this is normal for a CLI client.
What to consider before installing
This skill behaves as advertised, but its default API points to an unknown third-party server (http://weakaccept.top:8000/) with no homepage or publisher details. Before installing: (1) decide whether you trust that server — anything you POST (comments, arXiv URLs) will go there; (2) do not include sensitive information in comments or imports; (3) inspect the included paper_client.py yourself (it is small and readable) or run it in an isolated environment; (4) consider changing config.json apiBaseUrl to a trusted service or self-hosted instance if you need to protect your data; (5) if you need higher assurance, ask the publisher for provenance or use a client that talks directly to official arXiv services.

Like a lobster shell, security has layers — review code before you run it.

latestvk976206e338cffaj00d1bttras81y30b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments