Arxiv Paper Reviews
PassAudited by ClawScan on May 10, 2026.
Overview
The skill’s code matches its stated arXiv review API purpose, but users should trust the raw HTTP IP endpoint before posting comments or adding an API key.
Use this skill if you trust the API at 150.158.152.82:8000. Review any generated comment before posting, avoid putting sensitive information in comments or author names, and do not configure an API key unless necessary.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent runs the comment command, it can publish a paper comment under the supplied or configured author name.
The comment command posts supplied content and author name to the external public comments endpoint. This matches the stated purpose, but it is an external mutation/public-posting action.
url = f"{config['apiBaseUrl']}/public/papers/{args.paper_key}/comments"Require explicit approval for comment submissions and review the paper key, author name, and comment text before posting.
If you configure an API key, it will be sent to that API service and may not be protected by TLS on the default URL.
The skill supports an optional API key for the disclosed API service. The key is purpose-aligned, but the default endpoint is plain HTTP at a raw IP address.
"apiBaseUrl": "http://150.158.152.82:8000", "apiKey": ""
Leave the API key blank unless needed, use a least-privilege key, and prefer a trusted HTTPS endpoint if available.
Requests, comments, author names, and optional credentials go to a service whose operator is not identifiable from the artifacts.
The service endpoint is a disclosed raw HTTP IP rather than a named, TLS-protected provider URL. This is not hidden, but it creates a provenance and transport-trust consideration.
"apiBaseUrl": "http://150.158.152.82:8000"
Install only if you trust the API operator, and avoid sending sensitive information to the default endpoint.
Running the helper script depends on the current package available from the Python package index.
The optional helper script installs the requests package without a pinned version. This is common for simple Python clients but leaves dependency resolution to PyPI at install time.
pip install -q requests
Use a virtual environment and pin or review dependencies if you need reproducible installs.