Pet Sitter Intake Form Generator
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: pet-sitter-intake Version: 5.0.1 The skill's core functionality is benign, generating PDFs using `reportlab`. However, the `SKILL.md` and `skill.yaml` instruct the AI agent to construct a shell command (`python scripts/generate_form.py`) using user-provided inputs. This pattern introduces a shell injection vulnerability if the OpenClaw agent does not adequately sanitize user input before executing the command, potentially allowing arbitrary command execution. While the Python script itself uses `argparse` for internal input sanitization, the risk lies in the agent's command construction. No evidence of intentional malicious behavior like data exfiltration or persistence was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked, the skill can run the bundled Python script and create a PDF file on disk.
The skill explicitly uses local shell execution and filesystem writes to run the PDF generator. This is disclosed and directly supports the stated purpose, but it is still local tool authority users should notice.
permissions: - filesystem # Write generated PDF files - shell # Run Python script
Keep output paths in the intended workspace and use the skill only from a trusted installation.
A future dependency version could behave differently from the version the author tested.
The documented dependencies use lower-bound version ranges rather than exact pinned versions or a lockfile. This is common for small Python tools, but less reproducible than pinned dependency installation.
reportlab>=4.0.0 pyyaml>=6.0
If reproducibility matters, install in a virtual environment and pin reviewed versions of reportlab and pyyaml.
Clients may later enter home access codes, alarm details, or WiFi passwords into the generated form.
The generated intake form is designed to collect sensitive household access information. This is purpose-aligned for in-home pet care and can be disabled, but completed PDFs should be handled as sensitive records.
**Home Access Section** — Key codes, alarm info, WiFi, parking instructions
Use `--no-home-access` when these fields are unnecessary, and store or share completed forms securely.