ClawHub

Arxiv Paper Reviews

v0.1.1

Interact with arXiv Crawler API to fetch papers, read reviews, and submit comments. Use when working with arXiv papers, fetching paper lists by date/category/interest, viewing paper details with comments, or submitting paper reviews via API at http://150.158.152.82:8000.

1· 1.5k·0 current·0 all-time
by@zxrys
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md, and the included Python client are consistent: they fetch paper lists, show details, list and post comments to an arXiv-review-like API. However, the APIBaseUrl is an IP address (150.158.152.82) rather than a known domain; that opacity is notable and not justified in the docs. Also registry text said 'instruction-only' while code files are present — a small metadata inconsistency.
Instruction Scope
Runtime instructions (SKILL.md) and the client script only read a local config.json and perform HTTP requests to the declared API. There are no instructions to read unrelated system files, environment secrets, or to exfiltrate other data. Comment-posting capability is explicit in the docs.
Install Mechanism
No formal install spec is provided (instruction-only), but the package includes an install-deps.sh that creates a venv and installs the 'requests' package — a low-risk, common approach. There is no remote code download during install, but the presence of executable files means code will run locally; inspect before executing.
Credentials
The skill does not request environment variables or credentials from the platform. It uses a local config.json (apiBaseUrl, optional apiKey, defaultAuthorName). Requesting an optional apiKey is proportionate. There is no unexplained access to other credentials.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-level privileges. It does not modify other skills or system settings. Note: default platform behavior allows autonomous invocation, which increases impact if the skill interacts with external services — consider that when granting autonomous rights.
What to consider before installing
What to check before installing/use: - Verify the remote API: The skill uses an IP address (http://150.158.152.82:8000). Confirm who runs that server and whether you trust it. Prefer a TLS-secured domain (https) and known operator. - Inspect the code locally: paper_client.py and install-deps.sh are small and readable; open them yourself before running. The client only reads config.json and makes HTTP calls. - Run in an isolated environment: use the included virtualenv (install-deps.sh) or a container to avoid affecting your system. - Protect secrets: apiKey is optional and stored in config.json; don't put sensitive credentials there unless you trust the server. Avoid posting personal/identifying info as comment content. - Posting risk: the skill can submit comments to the remote service. If you will auto-generate comments (LLM integration), ensure content is appropriate and rate limits are respected. - Metadata inconsistency: registry claimed 'instruction-only' but code files exist — treat the package as code-containing and inspect before executing. If you cannot verify who operates the API or the server's purpose, do not supply API keys or submit content to that endpoint. If you want to proceed, ask the package author for ownership/hosting information or switch apiBaseUrl to a known/trusted service.

Like a lobster shell, security has layers — review code before you run it.

latestvk974d5sjmyndq21n0h8x6a55a580n022

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments