Luke Pdf Read Summarize
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The PDF summarizer mostly matches its stated purpose, but it ships an unrelated upload script containing a hardcoded ClawHub API token.
Review or avoid installing this version until upload.sh is removed and the exposed token is revoked. If you still use the PDF tool, ensure python3 and PyMuPDF come from trusted sources and only process PDFs you intentionally provide.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who receives the skill package may see or misuse the embedded ClawHub credential, potentially affecting the publisher account or skill upload workflow.
The artifact includes a hardcoded bearer token and uses it for ClawHub API authentication, which is unrelated to reading or summarizing PDFs.
API_TOKEN="clh_..." ... -H "Authorization: Bearer $API_TOKEN"
Remove upload.sh from the distributed skill, revoke and rotate the exposed token, and use environment variables or a separate authenticated publishing process instead.
Although not shown as automatically executed, the extra upload helper increases supply-chain risk and could confuse users or maintainers about what belongs in the installed skill.
A publishing helper that zips and uploads the skill is bundled with the runtime artifacts, but this behavior is not part of the stated PDF-summary capability.
# Upload skill to ClawHub ... zip -r luke-pdf-read-summarize.zip . ... https://api.clawhub.ai/api/v1/skills/upload
Exclude publishing/developer scripts from the published package and keep runtime artifacts limited to the PDF tool and documentation.
Processing a PDF will execute local Python code and rely on the local PyMuPDF installation.
The tool runs a generated Python script to extract PDF text. This is purpose-aligned and does not use a shell, but it is still local code execution.
const pythonProcess = spawn('python3', [scriptPath, path], { ... });Declare python3/PyMuPDF requirements, use safe temporary-file creation, and run the tool only in trusted environments with intended PDF files.