arXiv Paper Reviews
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could publish a review/comment or import a paper to the external service if it interprets the user request too broadly.
The skill exposes public write operations for comments and paper imports, but the instructions do not clearly require confirmation or explain how to undo those actions.
Submit Paper Review (Public Endpoint) ... POST /public/papers/{paper_key}/comments ... Import Papers (Public Endpoint) ... POST /public/papers/importRequire an explicit user confirmation before any comment or import, show the exact content, author name, paper key, and destination URL, and document whether posted content can be deleted.
If a user adds an API key, it may be sent to a remote service over unencrypted HTTP, exposing it to interception or misuse.
The documented default API endpoint is plain HTTP and the same configuration supports an optional API key; the client code sends the configured key as an X-API-Key header.
"apiBaseUrl": "http://weakaccept.top:8000/", "apiKey": ""
Use an HTTPS API base URL, document the API key scope and trust boundary, and avoid configuring a key unless the user trusts the service and transport.
Installation pulls code from PyPI, which is normal for Python tooling but adds dependency provenance risk.
The optional setup script creates a virtual environment and installs an unpinned external dependency; this is purpose-aligned, but users depend on the package source at install time.
python3 -m venv venv ... pip install -q requests
Review the install script before running it, prefer a pinned requirements file or trusted environment, and run it only in the skill directory.