Skillv1.0.0

ClawScan security

CamScanner Erase Handwriting · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 30, 2026, 7:58 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions, required tools, and network calls are consistent with its stated purpose (upload image → erase handwriting → download), but it sends user files to a third‑party server so users should consider privacy before using it.
Guidance: This skill appears to do what it says — it uploads your image to CamScanner's AI endpoint, removes handwriting, and returns a file you save locally. Before using: (1) confirm the endpoint (ai-tools.camscanner.com) is a legitimate CamScanner service and review its privacy/retention policy; (2) avoid uploading sensitive or regulated documents unless you accept that they will be processed by a third party; (3) test with non-sensitive images first; (4) ensure the output path you choose is secure and has appropriate permissions; and (5) if you are in a corporate environment with restrictions on external uploads, check policy or use a local/offline alternative.

Purpose & Capability: okName/description match the instructions: the SKILL.md shows a 3-step upload/enhance/download pipeline to ai-tools.camscanner.com. Required binaries (curl, jq) are appropriate for the provided shell examples. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteInstructions only operate on a user-specified local image and save the output locally, which is coherent for the task. However the workflow posts the file to a third-party API (ai-tools.camscanner.com). This is expected for a cloud image enhancement service but has privacy implications — the skill explicitly states files are sent to CamScanner servers.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This minimizes on-disk install risk; it only requires that curl and jq exist in PATH.
Credentials: okThe skill requests no environment variables, credentials, or config paths. That is proportionate to the documented anonymous upload/processing flow.
Persistence & Privilege: okalways:false and no install/persistence actions. The skill does not request permanent presence or modify other skills/configuration.