Is arxiv-watcher safe?

https://clawhub.ai/rubenfb23/arxiv-watcher

68
CAUTION

The skill published as 'arxiv-watcher' actually contains 'stock-info-explorer' — a complete slug/content mismatch that is a significant red flag. The Python script itself appears functionally benign (stock data fetching and charting), but it pulls 6 unpinned PyPI dependencies at runtime via 'uv run', creating a meaningful supply chain attack surface. No active malicious behavior was detected during monitoring — no unexpected network connections, no canary file access, and no filesystem tampering.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (7)

HIGH Slug/content mismatch: arxiv-watcher contains stock-info-explorer -30

The skill is published under the slug 'arxiv-watcher' but the actual SKILL.md, _meta.json, and all source code are for 'stock-info-explorer' — a completely different tool. This mismatch could indicate: (1) a bait-and-switch where the original skill was replaced, (2) a repackaging/typosquatting attack, or (3) a publishing error. Regardless of intent, users installing 'arxiv-watcher' will get unexpected functionality with shell execution capabilities.

HIGH Runtime Python dependency resolution without pinning -35

The script uses PEP 723 inline metadata with 'uv run --script' to resolve 6 PyPI dependencies (yfinance, rich, pandas, plotille, matplotlib, mplfinance) at runtime. There is no lockfile, no hash pinning, and no version constraints. This means every execution fetches whatever version is currently on PyPI, creating a supply chain attack vector. A compromise of any of these packages would result in arbitrary code execution on the user's machine.

MEDIUM Skill instructs agent to execute shell commands -15

The SKILL.md provides bash command templates that the LLM agent is expected to execute via shell. While the commands themselves appear benign (running the yf.py script with stock tickers), this establishes a pattern where the agent runs arbitrary shell commands at the skill's direction. The argparse-based CLI accepts user-controlled ticker symbols that flow into yfinance API calls.

LOW Outbound network requests to Yahoo Finance -10

The yfinance library makes HTTP requests to Yahoo Finance servers to fetch stock data. This is expected behavior for the stated functionality but establishes an outbound network channel. No evidence of data exfiltration was observed in monitoring, but the capability exists.

LOW Korean language text at end of SKILL.md -5

The SKILL.md ends with a Korean-language note. While this appears to be a legitimate localization note describing the skill's capabilities, non-primary-language text in skill files can sometimes be used to hide instructions from reviewers. In this case the content translates to a benign description of the tool's capabilities.

INFO Charts written to /tmp directory -5

Generated chart images are saved to /tmp/{symbol}_pro.png and /tmp/{symbol}_simple.png. This is standard practice for temporary file output and does not pose a direct security risk, though /tmp is world-readable on most systems.

INFO lock.json references different skill name -5

The .clawhub/lock.json references 'academic-research-hub' rather than 'stock-info-explorer' or 'arxiv-watcher', suggesting the repository may have previously contained different skill content or has been repurposed.