Skillv1.0.4

ClawScan security

Clinical Data Extractor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 25, 2026, 2:48 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (extracting clinical trial data from webpages/PDFs) matches its instructions and requirements; nothing requested is disproportionate or unexplained.
Guidance: This skill appears coherent for extracting clinical trial data, but review these points before installing or using it: (1) The built-in browser will fetch arbitrary URLs and may download page content and images — only run it on sources you trust. (2) The skill writes markdown and image files into your home workspace (~/.openclaw/workspace by default); ensure you are comfortable with those files being created and adjust the output path if needed. (3) For PDF processing it relies on nano-pdf or pdftotext — verify those binaries are trustworthy or install them from your OS package manager. (4) The README references an optional GitHub repo clone; if you install that way, inspect the repo contents before running. If you need higher assurance, ask the author for the source repository and review the code that will run in your environment.

Purpose & Capability: okThe skill claims to extract clinical trial data from URLs/PDFs and its runtime instructions only require a browser tool, PDF text-extraction tools (nano-pdf / pdftotext) and write access to a workspace. Those requirements are appropriate for the stated goal.
Instruction Scope: noteSKILL.md instructs the agent to open webpages via the built-in browser, snapshot/screenshot pages, extract text/images, and write markdown and image files to ~/.openclaw/workspace. This stays within the stated scope, but it does involve network access to arbitrary URLs and writing user files; users should expect downloaded page content and images to be stored locally.
Install Mechanism: okNo automated install spec is included (instruction-only skill), so nothing arbitrary will be downloaded or written by an installer. README suggests an optional git clone from a GitHub repo, which is a standard, traceable install method if the user chooses it.
Credentials: okThe skill requests no environment variables or credentials. It does require Chrome (for the built-in browser), optional PDF utilities, and write permission to the user's workspace — all reasonable for webpage scraping and PDF processing.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request elevated or persistent platform-wide privileges or modify other skills. File writes are limited to the configured workspace.