pdf-nano
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a normal PDF-processing skill, but one form-filling script can silently make persistent font changes on the local machine.
Review before installing or using. The PDF features look generally aligned with the stated purpose, but be aware that the form-annotation script may alter local font state. Use copies of sensitive PDFs, verify output paths, and avoid running the scripts with elevated privileges unless you understand the font-directory effects.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the form-filling workflow may modify your machine's font directories and font cache, not just create an output PDF.
When the annotation form-filling script runs, it searches for local assets/fonts directories, copies .ttf/.otf files into a writable font directory, and runs fc-cache. This creates persistent local environment changes that are not disclosed in SKILL.md or forms.md.
for item in source_dir.iterdir(): ... shutil.copy2(item, destination) ... subprocess.run([cmd, "-f", str(target_dir)], check=False)
Require explicit user approval before installing or copying fonts, disclose the behavior in the skill instructions, limit font handling to a temporary task directory when possible, and provide cleanup guidance.
The skill may fail until dependencies are installed, and users may need to choose package sources themselves.
The included scripts depend on external Python packages, while the registry metadata declares no install spec or required binaries. This is a setup/provenance gap rather than evidence of malicious behavior.
from pdf2image import convert_from_path
Declare required packages and optional system tools, preferably with pinned versions or trusted installation guidance.