中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
paper-cluster-survey-v2-2
Extract structured paper records from PDFs and URLs, then classify and write academic survey reviews
A legitimate academic paper extraction and survey generation skill with appropriate, documented capabilities and no malicious behavior detected.
Skill Namepaper-cluster-survey-v2-2
Duration38.4s
Enginepi
Safe to install
Approve for use. This skill performs standard paper metadata extraction from PDFs and URLs using well-defined, documented methods.

Findings 1 items

Severity Finding Location
Low
Shell tool usage not explicitly documented in SKILL.md
The SKILL.md mentions bundled scripts for paper extraction but doesn't enumerate the specific external tools (pdftotext, mutool, python3+pypdf, strings) used for PDF text extraction. This is technically a documentation gap but not a security violation as the tools are standard, well-named utilities.
SKILL.md references 'scripts/extract-paper-records.mjs' without specifying PDF tool dependencies
→ Consider adding a 'Tool Dependencies' section listing: pdftotext, mutool, python3 with pypdf module
 SKILL.md:68
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned scripts/extract-paper-records.mjs:179 reads local files via fs.readFileSync
Network READ READ ✓ Aligned scripts/extract-paper-records.mjs:247 uses native fetch() to retrieve paper URLs
Shell WRITE WRITE ✓ Aligned scripts/extract-paper-records.mjs:194-225 invokes pdftotext, mutool, python3, st…
1 findings
🔗
Medium External URL 外部 URL
https://arxiv.org/abs/1234.5678
README.md:30

File Tree

10 files · 37.6 KB · 1320 lines
JavaScript 3f · 792L Markdown 6f · 522L YAML 1f · 6L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 6L · 360 B
├─ 📁 references
│ ├─ 📝 extraction-pipeline.md Markdown 48L · 1.4 KB
│ ├─ 📝 output-schema.md Markdown 107L · 1.8 KB
│ ├─ 📝 review-paper-style.md Markdown 81L · 2.1 KB
│ └─ 📝 taxonomy-guidelines.md Markdown 35L · 1.1 KB
├─ 📁 scripts
│ ├─ 📜 extract-paper-records.mjs JavaScript 492L · 14.3 KB
│ ├─ 📜 normalize-sources.mjs JavaScript 138L · 3.1 KB
│ └─ 📜 render-formal-review-template.mjs JavaScript 162L · 4.1 KB
├─ 📝 README.md Markdown 99L · 3.1 KB
└─ 📝 SKILL.md Markdown 152L · 6.1 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
Node.js built-ins N/A runtime No Uses only built-in modules: fs, os, path, process, child_process (spawnSync), fetch (native)

Security Positives

✓ No credential harvesting or environment variable enumeration
✓ No network exfiltration or data transmission to external servers beyond source URLs
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No obfuscation techniques (base64, eval, atob)
✓ No remote script execution (curl|bash, wget|sh)
✓ No arbitrary shell command execution - only specific PDF extraction tools
✓ Uses only Node.js built-in modules, no external dependencies
✓ Shell commands are standard, well-known utilities (pdftotext, mutool, strings)
✓ All shell invocations are documented through bundled scripts reference
✓ Temporary PDF files are properly cleaned up after processing
✓ No privilege escalation attempts