ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pdf Batch Tool

v1.0.0

Batch process PDFs with merging, splitting, converting to images, extracting text, adding watermarks, and compressing while preserving quality.

0· 76·1 current·1 all-time
by@bingze00000
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match a PDF batch processor. However _meta.json lists Python libraries (pypdf2, pdf2image) as requirements while the skill contains no code, no install steps, and SKILL.md provides only high-level pseudo-commands rather than concrete commands or API calls. It's unclear how the agent is expected to perform the operations or whether additional software will be installed.
!
Instruction Scope
SKILL.md gives example invocations in natural language/Chinese pseudo-syntax (e.g. "合并 PDF 文件列表=... 输出=...") rather than explicit commands or scripts. It does not instruct reading unrelated files or env vars, but the vagueness grants the agent broad discretion to choose tools or run arbitrary commands to implement tasks — a scope creep risk unless concrete implementation is provided.
Install Mechanism
There is no install spec (instruction-only), which is lower risk. But the manifest's requirements list Python packages suggests the skill expects a Python environment and libraries to be present; since there is no install mechanism or code, it's unclear who installs these dependencies and how — an operational mismatch.
Credentials
The skill requests no environment variables, no credentials, and no config paths. There are no declared sensitive requirements. That said, performing PDF processing will require filesystem read/write access to user files — expected for the stated purpose.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. The skill does not request persistent presence or modify other skills; no elevated privileges are declared.
What to consider before installing
This skill's description fits a PDF batch processor, but the runtime instructions are vague and there is no code or install script. The manifest lists Python packages (pypdf2, pdf2image) which are not provided or installed automatically. Before installing or using this skill: 1) Ask the publisher for the implementation code or a clear install/run guide. 2) Verify where and how dependencies will be installed (and whether they come from a trusted source). 3) Only test with non-sensitive PDFs and in an environment where installing Python packages is safe. 4) If the agent will run commands on your machine, prefer a skill that provides explicit, reviewable scripts or binaries. If you cannot obtain these clarifications, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk972vsmzzrnmzdpjed7681ptzs83ra9s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments