arxiv-papers-search 安全扫描报告 — 可信 | ClawSafe

5 /100

arxiv-papers-search

Search, retrieve, and analyze academic papers from arXiv

This is a legitimate arXiv paper search and download skill with no malicious behavior - all functionality matches documentation.

技能名称arxiv-papers-search

分析耗时37.4s

引擎pi

✓

可以安装

No action needed. The skill is safe to use.

安全发现 2 项

严重性	安全发现	位置
低危	Unpinned requests dependency 供应链 The requests library is not pinned to a specific version in requirements.txt `import requests` → Consider pinning requests to a specific version (e.g., requests>=2.28.0) for reproducible builds	`scripts/search_papers.py:4`
提示	HTTP API usage 敏感访问 Uses HTTP instead of HTTPS for arXiv API endpoint `base_url = "http://export.arxiv.org/api/query"` → Consider using HTTPS for improved transport security, though arXiv API is public and unauthenticated	`scripts/search_papers.py:28`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	All scripts use requests.get() to fetch from public arXiv API only
文件系统	`WRITE`	`WRITE`	✓ 一致	download_paper.py:28 writes to user-specified output path
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found
环境变量	`NONE`	`NONE`	—	No os.environ access or credential reading
凭证窃取	`NONE`	`NONE`	—	No credential access detected

7 项发现

🔗

中危外部 URL 外部 URL

http://export.arxiv.org/api/query

references/api_reference.md:11

🔗

中危外部 URL 外部 URL

http://export.arxiv.org/api/query?search_query=all:machine+learning&start=0&max_results=10&sortBy=relevance&sortOrder=de...

references/api_reference.md:23

🔗

中危外部 URL 外部 URL

https://arxiv.org/pdf/

references/api_reference.md:28

🔗

中危外部 URL 外部 URL

https://arxiv.org/pdf/2301.00001.pdf

references/api_reference.md:32

🔗

中危外部 URL 外部 URL

http://arxiv.org/abs/2301.00001v1

references/api_reference.md:41

🔗

中危外部 URL 外部 URL

http://arxiv.org/pdf/2301.00001v1

references/api_reference.md:51

🔗

中危外部 URL 外部 URL

http://www.w3.org/2005/Atom

scripts/analyze_trends.py:42

目录结构

10 文件 · 25.4 KB · 849 行

Markdown 4f · 449L Python 5f · 376L Text 1f · 24L

├─ ▾ 📁 assets

│ ├─ ▾ 📁 templates

│ │ └─ 📝 research_summary.md Markdown 22L · 305 B

│ └─ 📄 example_asset.txt Text 24L · 888 B

├─ ▾ 📁 references

│ ├─ 📝 api_reference.md Markdown 125L · 2.9 KB

│ └─ 📝 categories.md Markdown 171L · 5.4 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 analyze_trends.py Python 129L · 4.0 KB

│ ├─ 🐍 download_paper.py Python 56L · 1.6 KB

│ ├─ 🐍 example.py Python 19L · 588 B

│ ├─ 🐍 get_paper_details.py Python 77L · 2.6 KB

│ └─ 🐍 search_papers.py Python 95L · 3.4 KB

└─ 📝 SKILL.md Markdown 131L · 3.7 KB

依赖分析 4 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	import	否	Library version not pinned - consider pinning for reproducible builds
`xml.etree.ElementTree`	`stdlib`	builtin	否	Standard library - no external dependency
`collections`	`stdlib`	builtin	否	Standard library - used for Counter
`datetime`	`stdlib`	builtin	否	Standard library - used for date parsing

安全亮点

✓ No shell execution or subprocess calls found

✓ No credential harvesting or environment variable access

✓ No data exfiltration - only queries public arXiv API

✓ Documentation accurately describes all functionality

✓ No obfuscation, base64-encoded code, or hidden instructions

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)

✓ No persistence mechanisms (cron, startup hooks, backdoors)

✓ No prompt injection or LLM manipulation attempts

✓ File writes are limited to user-specified output paths for PDF downloads

✓ All network requests go to legitimate arXiv.org endpoints