arxiv-papers-search Security Report — Trusted | ClawSafe

5 /100

arxiv-papers-search

Search, retrieve, and analyze academic papers from arXiv

This is a legitimate arXiv paper search and download skill with no malicious behavior - all functionality matches documentation.

Skill Namearxiv-papers-search

Duration37.4s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use.

Findings 2 items

Severity	Finding	Location
Low	Unpinned requests dependency Supply Chain The requests library is not pinned to a specific version in requirements.txt `import requests` → Consider pinning requests to a specific version (e.g., requests>=2.28.0) for reproducible builds	`scripts/search_papers.py:4`
Info	HTTP API usage Sensitive Access Uses HTTP instead of HTTPS for arXiv API endpoint `base_url = "http://export.arxiv.org/api/query"` → Consider using HTTPS for improved transport security, though arXiv API is public and unauthenticated	`scripts/search_papers.py:28`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	All scripts use requests.get() to fetch from public arXiv API only
Filesystem	`WRITE`	`WRITE`	✓ Aligned	download_paper.py:28 writes to user-specified output path
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Environment	`NONE`	`NONE`	—	No os.environ access or credential reading
credential_theft	`NONE`	`NONE`	—	No credential access detected

7 findings

🔗

Medium External URL 外部 URL

http://export.arxiv.org/api/query

references/api_reference.md:11

🔗

Medium External URL 外部 URL

http://export.arxiv.org/api/query?search_query=all:machine+learning&start=0&max_results=10&sortBy=relevance&sortOrder=de...

references/api_reference.md:23

🔗

Medium External URL 外部 URL

https://arxiv.org/pdf/

references/api_reference.md:28

🔗

Medium External URL 外部 URL

https://arxiv.org/pdf/2301.00001.pdf

references/api_reference.md:32

🔗

Medium External URL 外部 URL

http://arxiv.org/abs/2301.00001v1

references/api_reference.md:41

🔗

Medium External URL 外部 URL

http://arxiv.org/pdf/2301.00001v1

references/api_reference.md:51

🔗

Medium External URL 外部 URL

http://www.w3.org/2005/Atom

scripts/analyze_trends.py:42

File Tree

10 files · 25.4 KB · 849 lines

Markdown 4f · 449L Python 5f · 376L Text 1f · 24L

├─ ▾ 📁 assets

│ ├─ ▾ 📁 templates

│ │ └─ 📝 research_summary.md Markdown 22L · 305 B

│ └─ 📄 example_asset.txt Text 24L · 888 B

├─ ▾ 📁 references

│ ├─ 📝 api_reference.md Markdown 125L · 2.9 KB

│ └─ 📝 categories.md Markdown 171L · 5.4 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 analyze_trends.py Python 129L · 4.0 KB

│ ├─ 🐍 download_paper.py Python 56L · 1.6 KB

│ ├─ 🐍 example.py Python 19L · 588 B

│ ├─ 🐍 get_paper_details.py Python 77L · 2.6 KB

│ └─ 🐍 search_papers.py Python 95L · 3.4 KB

└─ 📝 SKILL.md Markdown 131L · 3.7 KB

Dependencies 4 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	import	No	Library version not pinned - consider pinning for reproducible builds
`xml.etree.ElementTree`	`stdlib`	builtin	No	Standard library - no external dependency
`collections`	`stdlib`	builtin	No	Standard library - used for Counter
`datetime`	`stdlib`	builtin	No	Standard library - used for date parsing

Security Positives

✓ No shell execution or subprocess calls found

✓ No credential harvesting or environment variable access

✓ No data exfiltration - only queries public arXiv API

✓ Documentation accurately describes all functionality

✓ No obfuscation, base64-encoded code, or hidden instructions

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)

✓ No persistence mechanisms (cron, startup hooks, backdoors)

✓ No prompt injection or LLM manipulation attempts

✓ File writes are limited to user-specified output paths for PDF downloads

✓ All network requests go to legitimate arXiv.org endpoints

Scan Report

Findings 2 items

File Tree

Dependencies 4 items

Security Positives