Skillv1.1.0

ClawScan security

EPUB ↔ PDF Converter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 4:22 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only EPUB↔PDF conversion guide that consistently uses calibre/ebook-convert and related tooling and does not request unrelated credentials or perform unexpected actions.
Guidance: This skill is internally consistent and appears to do exactly what it says: convert between EPUB and PDF using calibre and common PDF tooling. Before using it: (1) verify and run package-manager install commands yourself (they will download and install software); (2) ensure pdftoppm/pdftotext (poppler) are available if you need page rendering/text extraction, since they are used but not explicitly listed as dependencies; (3) confirm the output path (research/sources/) is appropriate and does not overwrite sensitive files; (4) be mindful of copyright when converting and redistributing documents; and (5) if you want to be extra cautious, run conversions in a sandbox or VM to limit filesystem/network exposure.

Review Dimensions

Purpose & Capability: okThe name/description (EPUB ↔ PDF conversion) matches the instructions: using calibre's ebook-convert and PDF tools to convert, validate, and inspect files. Required capabilities (file I/O, conversion tools) are appropriate for the stated purpose.
Instruction Scope: noteInstructions remain within conversion/validation scope (ebook-convert, pdftoppm, pdftotext, unzip, ls). They instruct installing packages via package managers and reading/writing files under paths like research/sources/. Minor issues: pdftoppm/pdftotext (poppler) are used but not listed explicitly in the Dependencies section; the SKILL.md also references saving/archiving/distribution which implies the agent will write output to user filesystem — expected for this task but worth noting.
Install Mechanism: okThis is an instruction-only skill (no install spec, no code). The only installation commands are platform package-manager invocations (brew/apt/dnf) to install calibre — standard and proportionate. Users should validate package-manager commands before running but there's no embedded arbitrary download or archive extraction in the skill.
Credentials: okThe skill declares no environment variables or credentials and does not ask for secrets. It only needs local filesystem access and command-line tools appropriate to conversion tasks — proportional to its purpose.
Persistence & Privilege: okalways is false and there are no install-time actions that modify other skills or global agent configuration. The skill does instruct running system installs if the agent chooses to, but it does not request persistent elevated privileges or force inclusion.