Is aurora-1412/arxiv-reader safe?

https://github.com/openclaw/skills/tree/main/skills/aurora-1412/arxiv-reader

86
SAFE

This skill is a legitimate arXiv paper reader that uses LangChain to classify and deeply read academic papers via LLM. The code is clean, unobfuscated, and does exactly what it claims. The primary risk is unpinned Python dependencies (especially arxiv-to-prompt with no version constraint) which creates a supply chain attack surface, and the inherent need to handle the user's LLM API key.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

MEDIUM Unpinned Python dependencies with version ranges -20

requirements.txt uses >= version constraints (e.g., langchain>=1.2.9) and arxiv-to-prompt has no version pin at all. This means pip install could fetch any newer version, including a compromised one. A supply chain attack on any of these packages would execute arbitrary code during installation.

LOW LLM API key sent to configurable external endpoint -10

The skill requires LLM_API_KEY and sends it to LLM_BASE_URL via LangChain's ChatOpenAI. The default endpoint is api.deepseek.com. While this is legitimate for the skill's purpose, the API key is a sensitive credential being transmitted to a third-party API.

LOW pip install executes during skill setup -10

SKILL.md instructs running 'uv pip install -r requirements.txt' which downloads and installs Python packages from PyPI. Combined with unpinned versions, this creates a window for supply chain compromise.

LOW Skill requests sensitive environment variables -10

The skill's metadata declares requirements for LLM_API_KEY, LLM_BASE_URL, LLM_TEMPERATURE, and LLM_MAX_TOKENS. While these are necessary for the skill's function, LLM_API_KEY is a sensitive credential that the Python code has full access to.

INFO Paper content sent to third-party LLM API -5

The skill sends arXiv paper content (LaTeX source, abstracts, titles) to the configured LLM endpoint for classification and summarization. This is expected behavior but means paper content leaves the local machine.

INFO Standard network activity during installation -5

Network monitoring shows connections to GitHub (repo clone), Ubuntu update servers, and DNS. All connections are expected and no anomalous outbound traffic was detected.