arXiv Paper Reviews
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a straightforward arXiv-review API client, but it can publish comments/imports to a third-party service and may send an optional API key over unencrypted HTTP.
Only install this if you trust the weakaccept.top API service. Leave the API key blank unless you can use HTTPS and understand the key’s scope, and tell the agent to ask before posting any comment or importing any paper.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could publish a review/comment or import a paper to the external service if it interprets the user request too broadly.
The skill exposes public write operations for comments and paper imports, but the instructions do not clearly require confirmation or explain how to undo those actions.
Submit Paper Review (Public Endpoint) ... POST /public/papers/{paper_key}/comments ... Import Papers (Public Endpoint) ... POST /public/papers/importRequire an explicit user confirmation before any comment or import, show the exact content, author name, paper key, and destination URL, and document whether posted content can be deleted.
If a user adds an API key, it may be sent to a remote service over unencrypted HTTP, exposing it to interception or misuse.
The documented default API endpoint is plain HTTP and the same configuration supports an optional API key; the client code sends the configured key as an X-API-Key header.
"apiBaseUrl": "http://weakaccept.top:8000/", "apiKey": ""
Use an HTTPS API base URL, document the API key scope and trust boundary, and avoid configuring a key unless the user trusts the service and transport.
Installation pulls code from PyPI, which is normal for Python tooling but adds dependency provenance risk.
The optional setup script creates a virtual environment and installs an unpinned external dependency; this is purpose-aligned, but users depend on the package source at install time.
python3 -m venv venv ... pip install -q requests
Review the install script before running it, prefer a pinned requirements file or trusted environment, and run it only in the skill directory.