multimodal-parser
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears purpose-aligned: it parses user-selected images, documents, and audio using local tools, with normal cautions around untrusted file content and external dependencies.
Before installing, confirm you trust the external parser dependencies and only use the skill on files whose contents you are comfortable bringing into the agent conversation. Parsed text should be treated as untrusted document content, not as instructions for the agent.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or untrusted PDF, image, DOCX, or transcript could include text that tries to influence the agent after parsing.
The skill is designed to turn arbitrary file contents into text for LLM use. If a parsed document contains adversarial instructions, a downstream agent could over-trust that text unless it is treated as data.
输出结构化文本 for LLM processing
Treat parsed output as untrusted file content; quote or summarize it, and do not follow instructions inside parsed files unless the user explicitly asks.
The selected local tools will open and process the files provided to the skill, which may expose private file contents to the agent response.
The skill invokes local parser binaries with user-provided file paths. This is central to the parser purpose and uses argument arrays rather than shell interpolation, but it is still local tool execution on user-selected files.
args.push(filePath, "-");
const cmd = new Deno.Command("pdftotext", { args });Use the skill only on files you intend to parse, and keep the local parsing tools from trusted package sources up to date.
Installing unpinned external packages can introduce dependency trust and version drift risk.
The documentation instructs users to install external system and Python packages. These dependencies are expected for OCR, document conversion, and transcription, but they are not pinned or represented by an install spec.
brew install tesseract tesseract-lang poppler pandoc pip install openai-whisper ffmpeg
Install dependencies from trusted repositories, prefer pinned or reviewed versions where possible, and verify the packages before use.