paper-research-agent Security Report — Trusted | ClawSafe

5 /100

paper-research-agent

Autonomous multi-agent paper research system with parallel sub-agent analysis, 6-section structured reports, and arXiv integration

Legitimate academic paper research tool with clear documentation, proper declared capabilities, and no malicious indicators.

Skill Namepaper-research-agent

Duration40.7s

Enginepi

✓

Safe to install

This skill is safe to use. No security concerns identified.

Findings 1 items

Severity	Finding	Location
Low	Auto-install with unpinned dependencies Supply Chain The ensure_deps() function auto-installs dependencies without version pinning (deps = ['arxiv', 'requests', 'pdfplumber']). While this is common practice, version pinning would improve reproducibility. `subprocess.run([sys.executable, '-m', 'pip', 'install', dep, '-q'])` → Consider pinning versions: 'arxiv>=1.4.0', 'requests>=2.28.0', 'pdfplumber>=0.10.0'	`scripts/research_pipeline.py:20`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md lines 152-155: file writes for output directories
Network	`READ`	`READ`	✓ Aligned	SKILL.md lines 30-32: arXiv API integration; research_pipeline.py line 178: requ…
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md lines 145-150: subprocess.run with python3 for pipeline execution
Environment	`NONE`	`NONE`	—	No os.environ access detected in code
Skill Invoke	`READ`	`READ`	✓ Aligned	SKILL.md lines 165-176: sessions_spawn for sub-agents
Clipboard	`NONE`	`NONE`	—	No clipboard access in code
Browser	`NONE`	`NONE`	—	No browser automation in code
Database	`NONE`	`NONE`	—	No database access in code

5 files · 44.3 KB · 1468 lines

Markdown 3f · 1033L Python 1f · 427L JSON 1f · 8L

├─ ▾ 📁 references

│ └─ 📝 analysis_standards.md Markdown 480L · 13.0 KB

├─ ▾ 📁 scripts

│ └─ 🐍 research_pipeline.py Python 427L · 14.5 KB

├─ 📋 _meta.json JSON 8L · 453 B

├─ 📝 README.md Markdown 238L · 7.3 KB

└─ 📝 SKILL.md Markdown 315L · 9.0 KB

Package	Version	Source	Known Vulns	Notes
`arxiv`	`*`	pip	No	Version not pinned - auto-installed
`requests`	`*`	pip	No	Version not pinned - auto-installed
`pdfplumber`	`*`	pip	No	Version not pinned - auto-installed

✓ Documentation accurately reflects all implemented functionality

✓ All subprocess calls explicitly declared in SKILL.md

✓ Network requests limited to legitimate arXiv.org domain only

✓ No credential harvesting or sensitive file access

✓ No data exfiltration mechanisms present

✓ No obfuscation techniques detected

✓ No remote script execution from external sources

✓ Clean code structure with no hidden functionality

✓ MIT license provided, author clearly identified