by 安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
This skill does what it says — it extracts text from PDFs, sends chunks to external LLM/image services, builds prompts, downloads images, and can generate Matplotlib code — but take the following precautions before installing or running it:
- Privacy: The skill sends parts of your paper (up to ~12k chars per LLM call) to third‑party services (BANANA2/acedata or their fallbacks). Do not use it with unpublished, sensitive, or proprietary manuscripts unless you trust the target service and its dat...详细分析 ▾
ℹ 用途与能力
Name/description (paper → diagrams) aligns with the code and required env vars: the code calls image/LLM APIs (BANANA2/acedata) and has local PDF→text and plotting modules. Minor incoherence: SKILL.md declares BANANA2_API_URL as required even though the code provides a default fallback URL; otherwise required binaries and envs are generally proportional to the described purpose.
⚠ 指令范围
The runtime instructions and code will send extracted paper text (up to ~12k chars per call) to external LLM/image generation endpoints and use responses to produce images. Critically, the chart_generator module asks an LLM to produce complete executable Python/Matplotlib code and then writes and executes that code locally via subprocess.run — this enables arbitrary code execution if the generated code or returned payload is malicious. The skill also downloads image URLs returned by remote services and writes outputs to home/workspace directories. All of these are coherent with the feature set but raise privacy and RCE risk.
✓ 安装机制
There is no external installer; the skill ships Python scripts and asks the user to pip-install standard PDF libs and requests. No arbitrary remote archive downloads or install scripts are present in the install spec. This is low-risk compared to fetching and executing remote installers.
ℹ 凭证需求
Declared env vars (BANANA2_API_KEY / BANANA2_API_URL, with fallbacks ACEDATA_API_KEY / PAPER_DIAGRAM_API_KEY) match the code's behavior of calling external image/LLM services. That is expected for this skill. Minor inconsistency: the SKILL.md marks BANANA2_API_URL as required despite the code providing a default URL when unset.
ℹ 持久化与权限
The skill does not request 'always: true' and does not modify other skills. It writes outputs to ~/.qclaw/.../outputs or to configurable PAPER_DIAGRAM_OUTPUT_DIR and may create that workspace. That file‑system presence is reasonable for generated outputs but you should be aware files are written into your home directory by default.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.02026/4/12
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install ynu-papergraphgeneration-qclaw
镜像加速npx clawhub@latest install ynu-papergraphgeneration-qclaw --registry https://cn.longxiaskill.com