智能文档助手
ReviewAudited by ClawScan on May 10, 2026.
Overview
This document-processing skill appears purpose-aligned, but review it carefully because a bundled config file can override your intended API key or endpoint while selected documents are uploaded to an external service.
Install only if you trust the DocPilot/TokenAI service with the documents you plan to process. Before running it, inspect or delete the included config.json, set your intended API key and endpoint explicitly, and test with non-sensitive files to confirm where uploads are going.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your documents could be processed using an unintended credential or endpoint, even if you set environment variables for your own account or server.
The code loads config.json after reading environment variables, so the file can replace the user's intended API key and base URL. The provided package also includes config.json with "api_key": "123456" and the default provider URL.
config = {"base_url": os.environ.get("DOCPilot_BASE_URL", DEFAULT_BASE_URL), "api_key": os.environ.get("DOCPilot_API_KEY", "")} ... if CONFIG_FILE.exists(): ... config.update(file_config)Before use, remove or replace the packaged config.json, confirm which base URL and API key are actually being used, and prefer a config precedence where explicit user environment settings override bundled files.
Documents such as contracts, invoices, audits, and spreadsheets may contain confidential or personal information and will be sent to the external DocPilot service for processing.
The skill uploads the selected local document to a configured remote API for parsing, extraction, or classification. This is consistent with the stated purpose, but it is a sensitive data transfer.
with open(file_path, "rb") as f: files = {"file": (Path(file_path).name, f)} ... response = requests.post(api_url, headers=headers, files=files, data=data, timeout=120)Use this only with documents you are allowed to upload to that provider, verify the provider URL, and review the provider's retention and privacy terms before processing sensitive files.