智能文档助手
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your documents could be processed using an unintended credential or endpoint, even if you set environment variables for your own account or server.
The code loads config.json after reading environment variables, so the file can replace the user's intended API key and base URL. The provided package also includes config.json with "api_key": "123456" and the default provider URL.
config = {"base_url": os.environ.get("DOCPilot_BASE_URL", DEFAULT_BASE_URL), "api_key": os.environ.get("DOCPilot_API_KEY", "")} ... if CONFIG_FILE.exists(): ... config.update(file_config)Before use, remove or replace the packaged config.json, confirm which base URL and API key are actually being used, and prefer a config precedence where explicit user environment settings override bundled files.
Documents such as contracts, invoices, audits, and spreadsheets may contain confidential or personal information and will be sent to the external DocPilot service for processing.
The skill uploads the selected local document to a configured remote API for parsing, extraction, or classification. This is consistent with the stated purpose, but it is a sensitive data transfer.
with open(file_path, "rb") as f: files = {"file": (Path(file_path).name, f)} ... response = requests.post(api_url, headers=headers, files=files, data=data, timeout=120)Use this only with documents you are allowed to upload to that provider, verify the provider URL, and review the provider's retention and privacy terms before processing sensitive files.