Back to skill
Skillv1.0.0
ClawScan security
Paper Parse · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 4:35 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, instructions, and requested binaries match its stated purpose (PDF -> markdown with figure extraction); it asks for no secrets and performs only local file I/O and image generation.
- Guidance
- This skill appears coherent and only does local PDF parsing and image output. Before installing: (1) review the included script (you already have it) to confirm behavior; (2) be aware 'uv' will install two Python packages (PyMuPDF and pymupdf4llm) — review those package sources or run the skill in an isolated/ephemeral environment; (3) test with non-sensitive PDFs first and monitor network activity if you're concerned about dependencies contacting external endpoints.
Review Dimensions
- Purpose & Capability
- okName/description ask for PDF parsing and figure extraction; SKILL.md and the included script both implement that. The required binary 'uv' is used to run the inline script and is appropriate for the declared usage.
- Instruction Scope
- okRuntime instructions only call the included script with a --pdf and optional --output-dir. The script reads the supplied PDF, writes markdown/JSON/images to the output dir, and does not reference other files, system configuration, or environment variables.
- Install Mechanism
- noteThere is no install spec (instruction-only) and the script declares PyMuPDF and pymupdf4llm as Python dependencies via inline metadata that 'uv' will manage. This is expected, but installing third‑party PyPI packages carries the usual supply-chain risk — review those packages or install in an isolated environment.
- Credentials
- okThe skill requires no environment variables, no credentials, and no config paths. The requested permissions are proportional to the task (only file read/write for the provided PDF and output folder).
- Persistence & Privilege
- okalways:false and no modifications to other skills or global agent settings. The skill does not request persistent/system-level privileges.