Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Boof
v4.0.0Convert PDFs and documents to markdown, index them locally for RAG retrieval, and analyze them token-efficiently. Use when asked to: read/analyze/summarize a...
⭐ 0· 902·7 current·7 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (PDF→markdown→RAG) matches the included files and script. Required tools (Java, Python venv with opendataloader-pdf, and QMD) are exactly what you would expect for local conversion and local semantic indexing. No unrelated binaries or credentials are requested.
Instruction Scope
The SKILL.md and scripts instruct the agent to run a local shell script that (a) runs opendataloader-pdf inside a venv to convert the provided file, (b) indexes the resulting markdown with qmd, and (c) writes output to a local directory. This stays within the stated purpose. Note: the setup and first-run steps will download QMD models (~1–2GB) and require network access when installing packages (pip / bun / qmd); logs are filtered in the script output which reduces noise but also hides some informational lines. The skill does not reference or exfiltrate unrelated system files or environment variables.
Install Mechanism
There is no automated install spec in the skill bundle; setup instructions tell the user to install Java, pip-install opendataloader-pdf into a venv, and install QMD via bun from a GitHub URL. These are standard, traceable sources (PyPI/GitHub/bun). No arbitrary binary downloads or extract-from-unknown-URLs are present in the bundle.
Credentials
No secrets or cloud credentials are required. Declared environment variables (ODL_ENV, QMD_BIN, BOOF_OUTPUT_DIR) are path/configuration variables appropriate for the task. The skill does not request unrelated tokens or passwords.
Persistence & Privilege
always is false and the skill does not modify other skills or system-wide configs. It writes converted files under a local output directory (default under the workspace) which is proportional to its function.
Assessment
Boof appears internally consistent with its stated purpose, but review these practical points before installing:
- The script runs locally and will execute Python/Java on your machine and write markdown to the specified output directory; only run it on documents you authorize.
- Installing opendataloader-pdf and QMD requires network access and will download packages and (on first run) QMD models (~1–2GB). Verify you trust the opendataloader-pdf and QMD sources (inspect their repos or package pages) before installing.
- The setup uses bun to install QMD from a GitHub URL — prefer installing in isolated environments (venv, container, or VM) if processing sensitive documents.
- No credentials are requested by the skill, but ensure you set a safe BOOF_OUTPUT_DIR if you do not want converted files stored under your home/workspace.
- If you need higher assurance, run the boof.sh commands manually in an isolated venv and review the opendataloader-pdf/QMD behavior during first-run model downloads.Like a lobster shell, security has layers — review code before you run it.
documentsvk97ep7zb5tjrrybxg5yc3hr2tx813wd5latestvk978w3h04g00567kthm9pc38vh8328f8pdfvk97ep7zb5tjrrybxg5yc3hr2tx813wd5ragvk97ep7zb5tjrrybxg5yc3hr2tx813wd5researchvk97ep7zb5tjrrybxg5yc3hr2tx813wd5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.