← 返回 Skills 市场
sschepis

Peer Reviewer

作者 sschepis · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
1895
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install peer-reviewer
功能描述
AI-powered academic paper reviewer. Uses a multi-agent system (Deconstructor, Devil's Advocate, Judge) to analyze papers for logical flaws, contradictions, and empirical validity.
安全使用建议
What to check before installing/use: - Do not assume 'no required env vars' from registry metadata: the code uses several credentials (OpenAI/Gemini/Google Serper). Confirm which keys you must provide and why. If you don't want network calls, do not set API keys. - Protect any google.json or service-account file — it contains powerful service account keys. If you provide GOOGLE_APPLICATION_CREDENTIALS or a google.json file, the skill will use it to call Vertex/Google APIs. - The skill will send your paper text to external services (OpenAI/Gemini/Vertex/Serper/ArXiv). If your manuscript is sensitive or unpublished, this may be data leakage — consider redaction, running offline, or not providing API keys. - SKILL.md references an absolute local development path (/Users/sschepis/...). That indicates documentation was not adapted for distribution; double-check paths before running to avoid accidentally reading/writing unintended files. Run the tool from an isolated directory or container and inspect the code locally first. - The skill may execute an external CLI (serper-tool) via child_process. If you enable that path, verify the serper-tool binary is trustworthy and understand what it does. - Recommended mitigations: run inside a sandbox or VM, inspect package.json and all source before running, avoid providing high-privilege credentials, or create a least-privilege service account for Google usage. Ask the author to update registry metadata to list required env vars and to remove hard-coded local paths in SKILL.md. If you cannot vet the author/packaging, treat the skill as untrusted and avoid running it on sensitive documents.
功能分析
Type: OpenClaw Skill Name: peer-reviewer Version: 1.0.0 The skill is classified as suspicious due to its broad file system access and the use of external command execution. The `src/index.ts` file allows reading of arbitrary local files if a path is provided as an argument to the CLI (`fs.readFileSync`). More critically, the `src/adapters/skill_search.ts` adapter uses `child_process.exec` to run an external `serper-tool` command, and `src/index.ts` explicitly attempts to execute a Node.js script from a relative parent directory (`../../serper-tool/dist/index.js`). While these capabilities are presented as part of the skill's intended functionality (reviewing papers, performing searches), they introduce significant supply chain risks and the potential for local arbitrary code execution if the external tool or its path is compromised. There is no clear evidence of intentional malicious behavior within this specific skill bundle, but the high-risk capabilities warrant a 'suspicious' classification.
能力评估
Purpose & Capability
The skill claims to be an academic peer reviewer and the code uses LLM adapters, search adapters (ArXiv, Serper), and local storage — which fits the stated purpose. However, the registry metadata declares no required environment variables or credentials while the code clearly expects multiple provider credentials (OPENAI_API_KEY, GEMINI_API_KEY/GOOGLE_API_KEY, SERPER_API_KEY, GOOGLE_APPLICATION_CREDENTIALS/./google.json, GOOGLE_CLOUD_PROJECT). That mismatch (metadata says 'none' but code requires secrets) is incoherent and surprising to a user.
Instruction Scope
SKILL.md instructs running node from a specific absolute development directory (/Users/sschepis/Development/peer-reviewer) and to ensure a google.json file or GOOGLE_APPLICATION_CREDENTIALS — both are environment- and path-sensitive. The runtime code will read local credential files, write reports to ./data, and may execute an external CLI (serper-tool) through child_process. The SKILL.md content also triggered a prompt-injection (system-prompt-override) detection; while the code contains strict LLM output constraints, the presence of prompt-injection patterns in the skill docs is a red flag. Overall the instructions encourage reading/writing local files and sending user content to external LLM/search services (expected for the purpose) but they do so without documenting required secrets or the privacy implications.
Install Mechanism
No install spec is present (instruction-only in registry), which is lower installer risk, but the package includes full source and package.json (npm-style). There are no remote downloads or obscure install URLs. Dependencies are standard (axios, google-auth-library, xml2js, dotenv). Because the package includes code that will be executed locally, the lack of an install manifest in the registry combined with included source is an odd packaging/documentation mismatch, but not inherently malicious.
Credentials
The skill requests (in code and README) multiple sensitive credentials and file access: OPENAI_API_KEY, GEMINI_API_KEY / GOOGLE_API_KEY, SERPER_API_KEY, GOOGLE_APPLICATION_CREDENTIALS or ./google.json, and potentially GOOGLE_CLOUD_PROJECT. These are proportional to a multi-provider reviewer, but the registry metadata claims no required env vars — an unexplained omission. The skill will also read a local credentials file if present and write reports to disk, so users must understand that their paper text and any provided credentials will be used to contact external services. Require/declare any secrets in metadata.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system-wide settings. It persists reports to a local ./data directory and reads local credential files (google.json) if present; that is consistent with being a CLI tool. This level of persistence is expected for a local review tool, but users should note saved reports contain analyzed text and should be protected accordingly.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install peer-reviewer
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /peer-reviewer 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial publish
元数据
Slug peer-reviewer
版本 1.0.0
许可证
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Peer Reviewer 是什么?

AI-powered academic paper reviewer. Uses a multi-agent system (Deconstructor, Devil's Advocate, Judge) to analyze papers for logical flaws, contradictions, and empirical validity. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1895 次。

如何安装 Peer Reviewer?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install peer-reviewer」即可一键安装,无需额外配置。

Peer Reviewer 是免费的吗?

是的,Peer Reviewer 完全免费(开源免费),可自由下载、安装和使用。

Peer Reviewer 支持哪些平台?

Peer Reviewer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Peer Reviewer?

由 sschepis(@sschepis)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论