Fetches and summarizes recent arXiv and Hugging Face papers with Agentic Paper Digest. Use when the user wants a paper digest, a JSON feed of recent papers, or to run the arXiv/HF pipeline.
Security Analysis
medium confidenceThe skill's functionality (fetching + summarizing papers) matches its description, but there are inconsistencies and moderate risks around how it instructs you to install and supply credentials (it will download code from GitHub and pip-install dependencies and auto-load a .env), so review the repo and secrets before running.
The name/description (paper digests from arXiv/Hugging Face) align with the runtime instructions and scripts. The skill legitimately needs Python, network access, and an LLM API key. However, registry metadata does not declare required env vars (OPENAI_API_KEY / LITELLM_*), and the SKILL.md explicitly requires network/git access and LLM credentials — this metadata mismatch is worth noting.
Runtime instructions require you (or the agent) to open and read config files from the downloaded repo and to source a .env file. The provided run scripts will export and source ENV_FILE (.env) automatically, which may expose any secrets in that file to the running process. The SKILL.md also instructs the agent to ask the user for LLM credentials and other configuration; that is expected for operation but increases the sensitive-surface the skill touches (local config + API keys).
There is no registry install spec, but the included bootstrap.sh downloads the GitHub repository (zip or git clone), creates/activates a virtualenv and runs pip install -r requirements.txt from that repo. This is a common pattern but carries moderate risk: arbitrary Python packages and code from the upstream repo will be installed/executed on your system. The download URL is a GitHub repo (not a shortener or unknown host), which reduces but does not eliminate risk.
The registry lists no required env vars, yet SKILL.md and the scripts expect LLM credentials (OPENAI_API_KEY or LITELLM_API_KEY/BASE) and many optional envs. The run scripts auto-source an ENV_FILE (.env) and export its contents, which can include unrelated secrets. Requesting an LLM API key is proportional to the stated purpose, but the lack of that declaration in registry metadata and the automatic sourcing of .env are mismatched and increase exposure.
always is false and the skill does not demand permanent system-wide presence. The skill's scripts install into a user-controlled PROJECT_DIR and create a virtualenv there; they don't modify other skills or global agent settings. Autonomous invocation is allowed (platform default) but not exceptional here.
Guidance
Before installing/running: 1) Review the upstream GitHub repository (https://github.com/matanle51/agentic_paper_digest) and inspect requirements.txt and the package code (paper_finder) so you understand what code will be installed and run. 2) Do not paste your real OPENAI_API_KEY (or other secrets) into .env until you trust the repo — consider using a restricted/test key. 3) Run the bootstrap and the service inside an isolated environment (container or dedicated VM) if possible, since pip will install third-party packages from the repo. 4) Set PROJECT_DIR to a non-sensitive, dedicated directory (not your home root) and check the contents of any auto-created .env. 5) If you require higher assurance, manually clone the repo, inspect files, and run pip install yourself rather than running bootstrap.sh blindly. If you want, I can list the exact files to inspect (requirements.txt, main package entrypoints) or help craft a safe sandbox command-line to run the bootstrap.
Latest Release
v0.3.3
- Updated workflow instructions to prioritize proactive user interaction and guidance. - Clarified that the user must first open and read the configuration from the downloaded GitHub repo. - Emphasized assisting the user in providing preferences for topics, time window, and core parameters. - Added a note to default to 24 hours for the time window unless the user specifies otherwise. - Added recommendation to default OpenAI model to "gpt-5-mini" for optimal tradeoff. - Added reminders for skill developers to help the user tune for good results. - Minor edits for clarity, directness, and improved step-by-step guidance.
Popular Skills
Published by @matanle51 on ClawHub
