Automates the process of extracting reusable skill code from arXiv papers. Use this skill to turn paper insights into actual OpenClaw skills.
Security Analysis
medium confidenceThe skill's code and instructions are mostly coherent with its stated goal of generating skill scaffolds from arXiv papers, but it performs file I/O outside its own directory, depends on a missing local module, and contains path mismatches that could cause unexpected access to workspace files; review before running in a shared workspace.
The code creates skill scaffolds (SKILL.md, run.js, paper.json) from a paper object and writes them into a workspace 'skills' folder — this matches the 'extract skill' purpose. Minor inconsistencies: SKILL.md example requires './skills/arxiv-skill-extractor/index.js' which does not match the package layout, and the implementation expects a sibling module '../arxiv-paper-reviews/paper_client.js' that is not present in the bundle.
The runtime reads and writes files outside the skill directory: WORKSPACE_ROOT is set to path.resolve(__dirname, "../.."), and the code reads/writes memory/evolution/pending_skill_task.json and writes into workspace/skills/<skillName>. That expands the skill's scope into the agent's workspace and could access unrelated files. The code also relies on getPaper from a local '../arxiv-paper-reviews/paper_client.js' not included here, so actual runtime behavior depends on external code which may perform network I/O or other sensitive actions. The test script calls main() without arguments and will fail or read pending tasks unless a pending file exists.
There is no install spec and no external downloads; this is an instruction + code-only skill. Nothing is fetched from remote URLs or installed during setup.
The skill declares no required environment variables, credentials, or config paths. However, it does read/write a workspace-level pending_skill_task.json which might contain sensitive task metadata; no explicit secrets are requested.
always:false and no autonomous-override flags — the skill won't be forcibly included. Still, it writes persistent files into the agent workspace (skills/, memory/evolution/pending_skill_task.json). This is reasonable for a generator tool but increases blast radius if run in a workspace that contains secrets or production configs.
Guidance
Before installing or running this skill: - Inspect the workspace 'memory/evolution/pending_skill_task.json' (if present) since the skill will read it and may write back status and extracted content. - Ensure you trust or inspect the sibling module arxiv-paper-reviews/paper_client.js that index.js requires — that file is not included and determines how papers are fetched (network calls, remote endpoints, credentials). - Run the skill in a sandbox or isolated workspace first (not in a production project) to see what files it creates under workspace_root/skills and what it writes to memory/evolution. - Note the SKILL.md usage examples path mismatch and that test.js calls main() without args (it will throw unless a pending task exists); provide a paper key when invoking (node index.js <paper_key>) to avoid accidental reads. - If you plan to use this on a shared agent, verify the agent workspace does not contain secrets or sensitive configs at the paths the skill touches. Additional information that would raise confidence to 'high': the missing arxiv-paper-reviews/paper_client.js included or documented, and a clear description of expected workspace layout (what WORKSPACE_ROOT should be) or modification to restrict operations to the skill's own directory.
Latest Release
v1.0.0
Initial release of arxiv-skill-extractor: - Automates the extraction of reusable skill code from arXiv papers. - Fetches papers, extracts key algorithms, and generates OpenClaw skill templates. - Supports both programmatic API and command-line usage. - Enables ongoing integration of research insights into executable skills.
Popular Skills
Published by @wanng-ide on ClawHub
